Method and system for clustering event messages and managing event-message clusters

ABSTRACT

The current document is directed to methods and systems that process, classify, efficiently store, and display large volumes of event messages generated in modern computing systems. In a disclosed implementation, received event messages are assigned to event-message clusters based on non-parameter tokens identified within the event messages. A parsing function is generated for each cluster that is used to extract data from incoming event messages and to prepare event records from event messages that more efficiently and accessible store event information. The parsing functions also provide an alternative basis for assignment of event messages to clusters. Event types associated with the clusters are used for gathering information from various information sources with which to automatically annotate event messages displayed to system administrators, maintenance personnel, and other users of event messages.

CROSS-REFERENCE TO RELATED APPLICATION

This application is a continuation-in-part of application Ser. No.14/313,802, filed Jun. 24, 2014.

TECHNICAL FIELD

The current document is directed to event logging and event-loginterpretation in complex computing systems and, in particular, tomethods and systems that process event messages in order to classifyeach event message as belonging to a particular event-message type, useevent-message-type information for interpreting the contents of eventlogs and for compactly storing event logs, and provide automatedannotation of displayed event logs with information obtained fromvarious different information sources related to the event typesassociated with the event logs.

BACKGROUND

During the past seven decades, electronic computing has evolved fromprimitive, vacuum-tube-based computer systems, initially developedduring the 1940s, to modern electronic computing systems in which largenumbers of multi-processor servers, work stations, and other individualcomputing systems are networked together with large-capacitydata-storage devices and other electronic devices to producegeographically distributed computing systems with hundreds of thousands,millions, or more components that provide enormous computationalbandwidths and data-storage capacities. These large, distributedcomputing systems are made possible by advances in computer networking,distributed operating systems and applications, data-storage appliances,computer hardware, and software technologies. Despite all of theseadvances, however, the rapid increase in the size and complexity ofcomputing systems has been accompanied by numerous scaling issues andtechnical challenges, including technical challenges associated withcommunications overheads encountered in parallelizing computationaltasks among multiple processors, component failures, anddistributed-system management. As new distributed-computing technologiesare developed and as general hardware and software technologies continueto advance, the current trend towards ever-larger and more complexdistributed computing systems appears likely to continue well into thefuture.

In modern computing systems, individual computers, subsystems, andcomponents generally output large volumes of status, informational, anderror messages that are collectively referred to, in the currentdocument, as “event messages.” In large, distributed computing systems,terabytes of event messages may be generated each day. The eventmessages are often collected into event logs stored as files indata-storage appliances and are often analyzed both in real time, asthey are generated and received, as well as retrospectively, after theevent messages have been initially processed and stored in event logs.Event messages may contain information that can be used to detectserious failures and operational deficiencies prior to the accumulationof a sufficient number of failures and system-degrading events that leadto data loss and significant down time. The information contained inevent messages may also be used to detect and ameliorate various typesof security breaches and issues, to intelligently manage and maintaindistributed computing systems, and to diagnose many different classes ofoperational problems, hardware-design deficiencies, and software-designdeficiencies.

It has proved to be a challenging task for system administrators, systemdesigners and developers, and system users to identify informationwithin the enormous event logs generated in distributed computingsystems relevant to detecting and diagnosing operational anomalies anduseful in administering, managing, and maintaining distributed computersystems. System administrators, maintenance personnel, and other usersof event messages continue to seek new automated methods and subsystemsto facilitate using event logs to detect and diagnose operationalanomalies and to administer, manage, and maintain distributed computersystems.

SUMMARY

The current document is directed to methods and systems that process,classify, efficiently store, and display large volumes of event messagesgenerated in modern computing systems. In a disclosed implementation,received event messages are assigned to event-message clusters based onnon-parameter tokens identified within the event messages. A parsingfunction is generated for each cluster that is used to extract data fromincoming event messages and to prepare event records from event messagesthat more efficiently and accessible store event information. Theparsing functions also provide an alternative basis for assignment ofevent messages to clusters. Event types associated with the clusters areused for gathering information from various information sources withwhich to automatically annotate event messages displayed to systemadministrators, maintenance personnel, and other users of eventmessages.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 provides a general architectural diagram for various types ofcomputers.

FIG. 2 illustrates an Internet-connected distributed computer system.

FIG. 3 illustrates cloud computing. In the recently developedcloud-computing paradigm, computing cycles and data-storage facilitiesare provided to organizations and individuals by cloud-computingproviders.

FIG. 4 illustrates generalized hardware and software components of ageneral-purpose computer system, such as a general-purpose computersystem having an architecture similar to that shown in FIG. 1.

FIGS. 5A-B illustrate two types of virtual machine and virtual-machineexecution environments.

FIG. 6 illustrates an OVF package.

FIG. 7 illustrates virtual data centers provided as an abstraction ofunderlying physical-data-center hardware components.

FIG. 8 illustrates virtual-machine components of a virtual-data-centermanagement server and physical servers of a physical data center abovewhich a virtual-data-center interface is provided by thevirtual-data-center management server.

FIG. 9 illustrates a cloud-director level of abstraction. In FIG. 9,three different physical data centers 902-904 are shown below planesrepresenting the cloud-director layer of abstraction 906-908.

FIG. 10 illustrates virtual-cloud-connector nodes (“VCC nodes”) and aVCC server, components of a distributed system that provides multi-cloudaggregation and that includes a cloud-connector server andcloud-connector nodes that cooperate to provide services that aredistributed across multiple clouds.

FIG. 11 illustrates a simple example of event-message logging andanalysis.

FIG. 12 shows a small, 11-entry portion of a log file from a distributedcomputer system.

FIG. 13 illustrates the event-message-processing approach represented bycertain of these methods and systems.

FIG. 14A illustrates one implementation of clustering methods andsystems to which the current document is directed.

FIG. 14B illustrates processing of a first event message.

FIG. 14C illustrates processing of a second message.

FIGS. 15-20 illustrate one implementation of the logic used by anevent-message-clustering system to compute a metric for a received eventmessage that allows the event message to be assigned to a particularexisting cluster.

FIG. 21 illustrates an implementation of the event-message-clusteringsystem to which the current document is directed at a greater level ofdetail than, but using the same illustration conventions as used in,FIG. 14A.

FIG. 22 illustrates a cluster-merge operation.

FIG. 23 illustrates a cluster-split operation.

FIG. 24 provides a final illustration of one implementation of theevent-message-clustering system to which the current document isdirected.

FIG. 25 illustrates a process that extracts parameter values from anevent message.

FIGS. 26A-C illustrate examples of editing of the redirection-ruletable.

FIGS. 27A-G provide control-flow diagrams that illustrate oneimplementation of the event-message-clustering system and methods usedwithin the event-message-clustering system to which the current documentis directed.

FIG. 28A illustrates regular expressions corresponding to various typesof formats in which dates may be encoded in event messages.

FIG. 28B illustrates construction of generalized regular expressionsthat identify two or more types of date formats.

FIG. 28C illustrates an example of the use of regular expressions intext processing.

FIG. 28D shows a representation of the deterministic finite automata2860 corresponding to the regular expression 2850 in the example shownin FIG. 28C.

FIGS. 29A-C illustrate implementation of a regular-expression-basedvariable-finding subsystem.

FIGS. 30A-B illustrate a general approach to generating a parsingfunction for an event-message cluster.

FIGS. 31A-C illustrate a computational method for identifying the staticor conserved substrings within a cluster of event messages.

FIGS. 32A-B illustrate the process of obtaining a more specific regularexpression by identifying encoded data within the variable portions ofthe event messages.

FIGS. 33A-C provide control-flow diagrams for a function “generate RE”that generates a parsing function, based on a regular expression, for anumber of event messages within a cluster.

FIGS. 34A-B illustrate a final regular expression and data-tabletemplate prepared by the method illustrated in FIGS. 33A-C for theexample of FIGS. 31A and 32A.

FIGS. 35A-E provide control-flow diagrams to illustrate a simpleimplementation of an event-message processing system in which some ofthe logic of previously described downstream analysis subsystems may beincorporated within the framework of the previously described clusteringsubsystem.

FIGS. 36A-B illustrate the information provided by the clusteringsubsystem about event messages that can be used to assign significancevalues to event messages which, in turn, can be employed for varioustypes of event-message prioritization.

FIG. 37 illustrates computation of the significance of an event message.

FIGS. 38A-E illustrate various distance-based and density-based methodsfor estimating the significance of an event message based on the featurevector computed for the event message.

FIG. 39 illustrates another approach to estimating significance of anevent message e_(i).

FIG. 40 illustrates a variety of other types of significance factorsthat can be computed based on analysis of event logs.

FIGS. 41A-D illustrate, using control-flow diagrams, prioritization ofevent messages based on the above-discussed significance metrics.

FIGS. 42A-B illustrate certain advantages provided by event clustering,discussed in previous subsections, related to display of event-log andlog-file entries, which can be clustered into event-type categories bythe above-discussed clustering methods.

FIGS. 43A-D illustrate the basis for an automated approach toefficiently obtaining additional information about event types,displayed to a user by an event-log-analysis system, such as in thedisplay screen shown in FIG. 42B.

FIG. 44 illustrates a simple relational-database schema used in oneimplementation of the disclosed methods and systems to store theadditional information that has been accumulated for event clusters orevent types.

FIG. 45 provides a structured query language (“SQL”) routine thatgathers additional-information entities related to a particular eventtype from the relational-database table shown in FIG. 44 and insertsthem into a Results table for use by a display routine for displayingadditional information related to event types, as discussed below.

FIGS. 46A-D illustrate one implementation of an event-type displayinterface, such as that discussed above with reference to FIG. 42B, thatfurther includes mechanisms for the display of additional informationassociated with any particular event type, using additional informationstored within a physical data-storage device, such as aphysical-data-storage device storing the above-discussed relationaltables.

FIGS. 47A-C provide control-flow diagrams that illustrate how display ofadditional information related to event types or event clusters isincorporated into a subsystem that displays event-log entries and/orevent types, examples of which include the display screens shown inFIGS. 42A-B.

FIG. 48 provides a control-flow diagram that illustrates preparation ofa database of additional-information entities, such as the databasestored in the relational tables discussed above with reference to FIG.44.

DETAILED DESCRIPTION

The current document is directed to methods and systems for processing,classifying, efficiently storing, and displaying event messages. In afirst subsection, below, a detailed description of computer hardware,complex computational systems, and virtualization is provided withreference to FIGS. 1-10. In a second subsection, implementations of thecurrently disclosed methods and systems that process, classify, andefficiently store event messages are discussed with reference to FIGS.11-27G. In a third subsection, generation of parsing functions forevent-message clusters is discussed with reference to FIGS. 28A-41D. Ina final subsection, the automated displayed event-message annotationmethods and subsystems to which the current document is particularlydirected are discussed with reference to FIGS. 42A-48.

Computer Hardware, Complex Computational Systems, and Virtualization

The term “abstraction” is not, in any way, intended to mean or suggestan abstract idea or concept. Computational abstractions are tangible,physical interfaces that are implemented, ultimately, using physicalcomputer hardware, data-storage devices, and communications systems.Instead, the term “abstraction” refers, in the current discussion, to alogical level of functionality encapsulated within one or more concrete,tangible, physically-implemented computer systems with definedinterfaces through which electronically-encoded data is exchanged,process execution launched, and electronic services are provided.Interfaces may include graphical and textual data displayed on physicaldisplay devices as well as computer programs and routines that controlphysical computer processors to carry out various tasks and operationsand that are invoked through electronically implemented applicationprogramming interfaces (“APIs”) and other electronically implementedinterfaces. There is a tendency among those unfamiliar with moderntechnology and science to misinterpret the terms “abstract” and“abstraction,” when used to describe certain aspects of moderncomputing. For example, one frequently encounters assertions that,because a computational system is described in terms of abstractions,functional layers, and interfaces, the computational system is somehowdifferent from a physical machine or device. Such allegations areunfounded. One only needs to disconnect a computer system or group ofcomputer systems from their respective power supplies to appreciate thephysical, machine nature of complex computer technologies. One alsofrequently encounters statements that characterize a computationaltechnology as being “only software,” and thus not a machine or device.Software is essentially a sequence of encoded symbols, such as aprintout of a computer program or digitally encoded computerinstructions sequentially stored in a file on an optical disk or withinan electromechanical mass-storage device. Software alone can do nothing.It is only when encoded computer instructions are loaded into anelectronic memory within a computer system and executed on a physicalprocessor that so-called “software implemented” functionality isprovided. The digitally encoded computer instructions are an essentialand physical control component of processor-controlled machines anddevices, no less essential and physical than a cam-shaft control systemin an internal-combustion engine. Multi-cloud aggregations,cloud-computing services, virtual-machine containers and virtualmachines, communications interfaces, and many of the other topicsdiscussed below are tangible, physical components of physical,electro-optical-mechanical computer systems.

FIG. 1 provides a general architectural diagram for various types ofcomputers. Computers that receive, process, and store event messages maybe described by the general architectural diagram shown in FIG. 1, forexample. The computer system contains one or multiple central processingunits (“CPUs”) 102-105, one or more electronic memories 108interconnected with the CPUs by a CPU/memory-subsystem bus 110 ormultiple busses, a first bridge 112 that interconnects theCPU/memory-subsystem bus 110 with additional busses 114 and 116, orother types of high-speed interconnection media, including multiple,high-speed serial interconnects. These busses or serialinterconnections, in turn, connect the CPUs and memory with specializedprocessors, such as a graphics processor 118, and with one or moreadditional bridges 120, which are interconnected with high-speed seriallinks or with multiple controllers 122-127, such as controller 127, thatprovide access to various different types of mass-storage devices 128,electronic displays, input devices, and other such components,subcomponents, and computational resources. It should be noted thatcomputer-readable data-storage devices include optical andelectromagnetic disks, electronic memories, and other physicaldata-storage devices. Those familiar with modern science and technologyappreciate that electromagnetic radiation and propagating signals do notstore data for subsequent retrieval, and can transiently “store” only abyte or less of information per mile, far less information than neededto encode even the simplest of routines.

Of course, there are many different types of computer-systemarchitectures that differ from one another in the number of differentmemories, including different types of hierarchical cache memories, thenumber of processors and the connectivity of the processors with othersystem components, the number of internal communications busses andserial links, and in many other ways. However, computer systemsgenerally execute stored programs by fetching instructions from memoryand executing the instructions in one or more processors. Computersystems include general-purpose computer systems, such as personalcomputers (“PCs”), various types of servers and workstations, andhigher-end mainframe computers, but may also include a plethora ofvarious types of special-purpose computing devices, includingdata-storage systems, communications routers, network nodes, tabletcomputers, and mobile telephones.

FIG. 2 illustrates an Internet-connected distributed computer system. Ascommunications and networking technologies have evolved in capabilityand accessibility, and as the computational bandwidths, data-storagecapacities, and other capabilities and capacities of various types ofcomputer systems have steadily and rapidly increased, much of moderncomputing now generally involves large distributed systems and computersinterconnected by local networks, wide-area networks, wirelesscommunications, and the Internet. FIG. 2 shows a typical distributedsystem in which a large number of PCs 202-205, a high-end distributedmainframe system 210 with a large data-storage system 212, and a largecomputer center 214 with large numbers of rack-mounted servers or bladeservers all interconnected through various communications and networkingsystems that together comprise the Internet 216. Such distributedcomputing systems provide diverse arrays of functionalities. Forexample, a PC user sitting in a home office may access hundreds ofmillions of different web sites provided by hundreds of thousands ofdifferent web servers throughout the world and may accesshigh-computational-bandwidth computing services from remote computerfacilities for running complex computational tasks.

Until recently, computational services were generally provided bycomputer systems and data centers purchased, configured, managed, andmaintained by service-provider organizations. For example, an e-commerceretailer generally purchased, configured, managed, and maintained a datacenter including numerous web servers, back-end computer systems, anddata-storage systems for serving web pages to remote customers,receiving orders through the web-page interface, processing the orders,tracking completed orders, and other myriad different tasks associatedwith an e-commerce enterprise.

FIG. 3 illustrates cloud computing. In the recently developedcloud-computing paradigm, computing cycles and data-storage facilitiesare provided to organizations and individuals by cloud-computingproviders. In addition, larger organizations may elect to establishprivate cloud-computing facilities in addition to, or instead of,subscribing to computing services provided by public cloud-computingservice providers. In FIG. 3, a system administrator for anorganization, using a PC 302, accesses the organization's private cloud304 through a local network 306 and private-cloud interface 308 and alsoaccesses, through the Internet 310, a public cloud 312 through apublic-cloud services interface 314. The administrator can, in eitherthe case of the private cloud 304 or public cloud 312, configure virtualcomputer systems and even entire virtual data centers and launchexecution of application programs on the virtual computer systems andvirtual data centers in order to carry out any of many different typesof computational tasks. As one example, a small organization mayconfigure and run a virtual data center within a public cloud thatexecutes web servers to provide an e-commerce interface through thepublic cloud to remote customers of the organization, such as a userviewing the organization's e-commerce web pages on a remote user system316.

Cloud-computing facilities are intended to provide computationalbandwidth and data-storage services much as utility companies provideelectrical power and water to consumers. Cloud computing providesenormous advantages to small organizations without the resources topurchase, manage, and maintain in-house data centers. Such organizationscan dynamically add and delete virtual computer systems from theirvirtual data centers within public clouds in order to trackcomputational-bandwidth and data-storage needs, rather than purchasingsufficient computer systems within a physical data center to handle peakcomputational-bandwidth and data-storage demands. Moreover, smallorganizations can completely avoid the overhead of maintaining andmanaging physical computer systems, including hiring and periodicallyretraining information-technology specialists and continuously payingfor operating-system and database-management-system upgrades.Furthermore, cloud-computing interfaces allow for easy andstraightforward configuration of virtual computing facilities,flexibility in the types of applications and operating systems that canbe configured, and other functionalities that are useful even for ownersand administrators of private cloud-computing facilities used by asingle organization.

FIG. 4 illustrates generalized hardware and software components of ageneral-purpose computer system, such as a general-purpose computersystem having an architecture similar to that shown in FIG. 1. Thecomputer system 400 is often considered to include three fundamentallayers: (1) a hardware layer or level 402; (2) an operating-system layeror level 404; and (3) an application-program layer or level 406. Thehardware layer 402 includes one or more processors 408, system memory410, various different types of input-output (“I/O”) devices 410 and412, and mass-storage devices 414. Of course, the hardware level alsoincludes many other components, including power supplies, internalcommunications links and busses, specialized integrated circuits, manydifferent types of processor-controlled or microprocessor-controlledperipheral devices and controllers, and many other components. Theoperating system 404 interfaces to the hardware level 402 through alow-level operating system and hardware interface 416 generallycomprising a set of non-privileged computer instructions 418, a set ofprivileged computer instructions 420, a set of non-privileged registersand memory addresses 422, and a set of privileged registers and memoryaddresses 424. In general, the operating system exposes non-privilegedinstructions, non-privileged registers, and non-privileged memoryaddresses 426 and a system-call interface 428 as an operating-systeminterface 430 to application programs 432-436 that execute within anexecution environment provided to the application programs by theoperating system. The operating system, alone, accesses the privilegedinstructions, privileged registers, and privileged memory addresses. Byreserving access to privileged instructions, privileged registers, andprivileged memory addresses, the operating system can ensure thatapplication programs and other higher-level computational entitiescannot interfere with one another's execution and cannot change theoverall state of the computer system in ways that could deleteriouslyimpact system operation. The operating system includes many internalcomponents and modules, including a scheduler 442, memory management444, a file system 446, device drivers 448, and many other componentsand modules. To a certain degree, modern operating systems providenumerous levels of abstraction above the hardware level, includingvirtual memory, which provides to each application program and othercomputational entities a separate, large, linear memory-address spacethat is mapped by the operating system to various electronic memoriesand mass-storage devices. The scheduler orchestrates interleavedexecution of various different application programs and higher-levelcomputational entities, providing to each application program a virtual,stand-alone system devoted entirely to the application program. From theapplication program's standpoint, the application program executescontinuously without concern for the need to share processor resourcesand other system resources with other application programs andhigher-level computational entities. The device drivers abstract detailsof hardware-component operation, allowing application programs to employthe system-call interface for transmitting and receiving data to andfrom communications networks, mass-storage devices, and other I/Odevices and subsystems. The file system 436 facilitates abstraction ofmass-storage-device and memory resources as a high-level,easy-to-access, file-system interface. Thus, the development andevolution of the operating system has resulted in the generation of atype of multi-faceted virtual execution environment for applicationprograms and other higher-level computational entities.

While the execution environments provided by operating systems haveproved to be an enormously successful level of abstraction withincomputer systems, the operating-system-provided level of abstraction isnonetheless associated with difficulties and challenges for developersand users of application programs and other higher-level computationalentities. One difficulty arises from the fact that there are manydifferent operating systems that run within various different types ofcomputer hardware. In many cases, popular application programs andcomputational systems are developed to run on only a subset of theavailable operating systems, and can therefore be executed within only asubset of the various different types of computer systems on which theoperating systems are designed to run. Often, even when an applicationprogram or other computational system is ported to additional operatingsystems, the application program or other computational system cannonetheless run more efficiently on the operating systems for which theapplication program or other computational system was originallytargeted. Another difficulty arises from the increasingly distributednature of computer systems. Although distributed operating systems arethe subject of considerable research and development efforts, many ofthe popular operating systems are designed primarily for execution on asingle computer system. In many cases, it is difficult to moveapplication programs, in real time, between the different computersystems of a distributed computer system for high-availability,fault-tolerance, and load-balancing purposes. The problems are evengreater in heterogeneous distributed computer systems which includedifferent types of hardware and devices running different types ofoperating systems. Operating systems continue to evolve, as a result ofwhich certain older application programs and other computationalentities may be incompatible with more recent versions of operatingsystems for which they are targeted, creating compatibility issues thatare particularly difficult to manage in large distributed systems.

For all of these reasons, a higher level of abstraction, referred to asthe “virtual machine,” has been developed and evolved to furtherabstract computer hardware in order to address many difficulties andchallenges associated with traditional computing systems, including thecompatibility issues discussed above. FIGS. 5A-B illustrate two types ofvirtual machine and virtual-machine execution environments. FIGS. 5A-Buse the same illustration conventions as used in FIG. 4. FIG. 5A shows afirst type of virtualization. The computer system 500 in FIG. 5Aincludes the same hardware layer 502 as the hardware layer 402 shown inFIG. 4. However, rather than providing an operating system layerdirectly above the hardware layer, as in FIG. 4, the virtualizedcomputing environment illustrated in FIG. 5A features a virtualizationlayer 504 that interfaces through a virtualization-layer/hardware-layerinterface 506, equivalent to interface 416 in FIG. 4, to the hardware.The virtualization layer provides a hardware-like interface 508 to anumber of virtual machines, such as virtual machine 510, executing abovethe virtualization layer in a virtual-machine layer 512. Each virtualmachine includes one or more application programs or other higher-levelcomputational entities packaged together with an operating system,referred to as a “guest operating system,” such as application 514 andguest operating system 516 packaged together within virtual machine 510.Each virtual machine is thus equivalent to the operating-system layer404 and application-program layer 406 in the general-purpose computersystem shown in FIG. 4. Each guest operating system within a virtualmachine interfaces to the virtualization-layer interface 508 rather thanto the actual hardware interface 506. The virtualization layerpartitions hardware resources into abstract virtual-hardware layers towhich each guest operating system within a virtual machine interfaces.The guest operating systems within the virtual machines, in general, areunaware of the virtualization layer and operate as if they were directlyaccessing a true hardware interface. The virtualization layer ensuresthat each of the virtual machines currently executing within the virtualenvironment receive a fair allocation of underlying hardware resourcesand that all virtual machines receive sufficient resources to progressin execution. The virtualization-layer interface 508 may differ fordifferent guest operating systems. For example, the virtualization layeris generally able to provide virtual hardware interfaces for a varietyof different types of computer hardware. This allows, as one example, avirtual machine that includes a guest operating system designed for aparticular computer architecture to run on hardware of a differentarchitecture. The number of virtual machines need not be equal to thenumber of physical processors or even a multiple of the number ofprocessors.

The virtualization layer includes a virtual-machine-monitor module 518(“VMM”) that virtualizes physical processors in the hardware layer tocreate virtual processors on which each of the virtual machinesexecutes. For execution efficiency, the virtualization layer attempts toallow virtual machines to directly execute non-privileged instructionsand to directly access non-privileged registers and memory. However,when the guest operating system within a virtual machine accessesvirtual privileged instructions, virtual privileged registers, andvirtual privileged memory through the virtualization-layer interface508, the accesses result in execution of virtualization-layer code tosimulate or emulate the privileged resources. The virtualization layeradditionally includes a kernel module 520 that manages memory,communications, and data-storage machine resources on behalf ofexecuting virtual machines (“VM kernel”). The VM kernel, for example,maintains shadow page tables on each virtual machine so thathardware-level virtual-memory facilities can be used to process memoryaccesses. The VM kernel additionally includes routines that implementvirtual communications and data-storage devices as well as devicedrivers that directly control the operation of underlying hardwarecommunications and data-storage devices. Similarly, the VM kernelvirtualizes various other types of I/O devices, including keyboards,optical-disk drives, and other such devices. The virtualization layeressentially schedules execution of virtual machines much like anoperating system schedules execution of application programs, so thatthe virtual machines each execute within a complete and fully functionalvirtual hardware layer.

FIG. 5B illustrates a second type of virtualization. In FIG. 5B, thecomputer system 540 includes the same hardware layer 542 and softwarelayer 544 as the hardware layer 402 shown in FIG. 4. Several applicationprograms 546 and 548 are shown running in the execution environmentprovided by the operating system. In addition, a virtualization layer550 is also provided, in computer 540, but, unlike the virtualizationlayer 504 discussed with reference to FIG. 5A, virtualization layer 550is layered above the operating system 544, referred to as the “host OS,”and uses the operating system interface to accessoperating-system-provided functionality as well as the hardware. Thevirtualization layer 550 comprises primarily a VMM and a hardware-likeinterface 552, similar to hardware-like interface 508 in FIG. 5A. Thevirtualization-layer/hardware-layer interface 552, equivalent tointerface 416 in FIG. 4, provides an execution environment for a numberof virtual machines 556-558, each including one or more applicationprograms or other higher-level computational entities packaged togetherwith a guest operating system.

In FIGS. 5A-B, the layers are somewhat simplified for clarity ofillustration. For example, portions of the virtualization layer 550 mayreside within the host-operating-system kernel, such as a specializeddriver incorporated into the host operating system to facilitatehardware access by the virtualization layer.

It should be noted that virtual hardware layers, virtualization layers,and guest operating systems are all physical entities that areimplemented by computer instructions stored in physical data-storagedevices, including electronic memories, mass-storage devices, opticaldisks, magnetic disks, and other such devices. The term “virtual” doesnot, in any way, imply that virtual hardware layers, virtualizationlayers, and guest operating systems are abstract or intangible. Virtualhardware layers, virtualization layers, and guest operating systemsexecute on physical processors of physical computer systems and controloperation of the physical computer systems, including operations thatalter the physical states of physical devices, including electronicmemories and mass-storage devices. They are as physical and tangible asany other component of a computer since, such as power supplies,controllers, processors, busses, and data-storage devices.

A virtual machine or virtual application, described below, isencapsulated within a data package for transmission, distribution, andloading into a virtual-execution environment. One public standard forvirtual-machine encapsulation is referred to as the “open virtualizationformat” (“OVF”). The OVF standard specifies a format for digitallyencoding a virtual machine within one or more data files. FIG. 6illustrates an OVF package. An OVF package 602 includes an OVFdescriptor 604, an OVF manifest 606, an OVF certificate 608, one or moredisk-image files 610-611, and one or more resource files 612-614. TheOVF package can be encoded and stored as a single file or as a set offiles. The OVF descriptor 604 is an XML document 620 that includes ahierarchical set of elements, each demarcated by a beginning tag and anending tag. The outermost, or highest-level, element is the envelopeelement, demarcated by tags 622 and 623. The next-level element includesa reference element 626 that includes references to all files that arepart of the OVF package, a disk section 628 that contains metainformation about all of the virtual disks included in the OVF package,a networks section 630 that includes meta information about all of thelogical networks included in the OVF package, and a collection ofvirtual-machine configurations 632 which further includes hardwaredescriptions of each virtual machine 634. There are many additionalhierarchical levels and elements within a typical OVF descriptor. TheOVF descriptor is thus a self-describing, XML file that describes thecontents of an OVF package. The OVF manifest 606 is a list ofcryptographic-hash-function-generated digests 636 of the entire OVFpackage and of the various components of the OVF package. The OVFcertificate 608 is an authentication certificate 640 that includes adigest of the manifest and that is cryptographically signed. Disk imagefiles, such as disk image file 610, are digital encodings of thecontents of virtual disks and resource files 612 are digitally encodedcontent, such as operating-system images. A virtual machine or acollection of virtual machines encapsulated together within a virtualapplication can thus be digitally encoded as one or more files within anOVF package that can be transmitted, distributed, and loaded usingwell-known tools for transmitting, distributing, and loading files. Avirtual appliance is a software service that is delivered as a completesoftware stack installed within one or more virtual machines that isencoded within an OVF package.

The advent of virtual machines and virtual environments has alleviatedmany of the difficulties and challenges associated with traditionalgeneral-purpose computing. Machine and operating-system dependencies canbe significantly reduced or entirely eliminated by packagingapplications and operating systems together as virtual machines andvirtual appliances that execute within virtual environments provided byvirtualization layers running on many different types of computerhardware. A next level of abstraction, referred to as virtual datacenters or virtual infrastructure, provide a data-center interface tovirtual data centers computationally constructed within physical datacenters. FIG. 7 illustrates virtual data centers provided as anabstraction of underlying physical-data-center hardware components. InFIG. 7, a physical data center 702 is shown below a virtual-interfaceplane 704. The physical data center consists of a virtual-data-centermanagement server 706 and any of various different computers, such asPCs 708, on which a virtual-data-center management interface may bedisplayed to system administrators and other users. The physical datacenter additionally includes generally large numbers of servercomputers, such as server computer 710, that are coupled together bylocal area networks, such as local area network 712 that directlyinterconnects server computer 710 and 714-720 and a mass-storage array722. The physical data center shown in FIG. 7 includes three local areanetworks 712, 724, and 726 that each directly interconnects a bank ofeight servers and a mass-storage array. The individual server computers,such as server computer 710, each includes a virtualization layer andruns multiple virtual machines. Different physical data centers mayinclude many different types of computers, networks, data-storagesystems and devices connected according to many different types ofconnection topologies. The virtual-data-center abstraction layer 704, alogical abstraction layer shown by a plane in FIG. 7, abstracts thephysical data center to a virtual data center comprising one or moreresource pools, such as resource pools 730-732, one or more virtual datastores, such as virtual data stores 734-736, and one or more virtualnetworks. In certain implementations, the resource pools abstract banksof physical servers directly interconnected by a local area network.

The virtual-data-center management interface allows provisioning andlaunching of virtual machines with respect to resource pools, virtualdata stores, and virtual networks, so that virtual-data-centeradministrators need not be concerned with the identities ofphysical-data-center components used to execute particular virtualmachines. Furthermore, the virtual-data-center management serverincludes functionality to migrate running virtual machines from onephysical server to another in order to optimally or near optimallymanage resource allocation, provide fault tolerance, and highavailability by migrating virtual machines to most effectively utilizeunderlying physical hardware resources, to replace virtual machinesdisabled by physical hardware problems and failures, and to ensure thatmultiple virtual machines supporting a high-availability virtualappliance are executing on multiple physical computer systems so thatthe services provided by the virtual appliance are continuouslyaccessible, even when one of the multiple virtual appliances becomescompute bound, data-access bound, suspends execution, or fails. Thus,the virtual data center layer of abstraction provides avirtual-data-center abstraction of physical data centers to simplifyprovisioning, launching, and maintenance of virtual machines and virtualappliances as well as to provide high-level, distributed functionalitiesthat involve pooling the resources of individual physical servers andmigrating virtual machines among physical servers to achieve loadbalancing, fault tolerance, and high availability. FIG. 8 illustratesvirtual-machine components of a virtual-data-center management serverand physical servers of a physical data center above which avirtual-data-center interface is provided by the virtual-data-centermanagement server. The virtual-data-center management server 802 and avirtual-data-center database 804 comprise the physical components of themanagement component of the virtual data center. The virtual-data-centermanagement server 802 includes a hardware layer 806 and virtualizationlayer 808, and runs a virtual-data-center management-server virtualmachine 810 above the virtualization layer. Although shown as a singleserver in FIG. 8, the virtual-data-center management server (“VDCmanagement server”) may include two or more physical server computersthat support multiple VDC-management-server virtual appliances. Thevirtual machine 810 includes a management-interface component 812,distributed services 814, core services 816, and a host-managementinterface 818. The management interface is accessed from any of variouscomputers, such as the PC 708 shown in FIG. 7. The management interfaceallows the virtual-data-center administrator to configure a virtual datacenter, provision virtual machines, collect statistics and view logfiles for the virtual data center, and to carry out other, similarmanagement tasks. The host-management interface 818 interfaces tovirtual-data-center agents 824, 825, and 826 that execute as virtualmachines within each of the physical servers of the physical data centerthat is abstracted to a virtual data center by the VDC managementserver.

The distributed services 814 include a distributed-resource schedulerthat assigns virtual machines to execute within particular physicalservers and that migrates virtual machines in order to most effectivelymake use of computational bandwidths, data-storage capacities, andnetwork capacities of the physical data center. The distributed servicesfurther include a high-availability service that replicates and migratesvirtual machines in order to ensure that virtual machines continue toexecute despite problems and failures experienced by physical hardwarecomponents. The distributed services also include a live-virtual-machinemigration service that temporarily halts execution of a virtual machine,encapsulates the virtual machine in an OVF package, transmits the OVFpackage to a different physical server, and restarts the virtual machineon the different physical server from a virtual-machine state recordedwhen execution of the virtual machine was halted. The distributedservices also include a distributed backup service that providescentralized virtual-machine backup and restore.

The core services provided by the VDC management server include hostconfiguration, virtual-machine configuration, virtual-machineprovisioning, generation of virtual-data-center alarms and events,ongoing event logging and statistics collection, a task scheduler, and aresource-management module. Each physical server 820-822 also includes ahost-agent virtual machine 828-830 through which the virtualizationlayer can be accessed via a virtual-infrastructure applicationprogramming interface (“API”). This interface allows a remoteadministrator or user to manage an individual server through theinfrastructure API. The virtual-data-center agents 824-826 accessvirtualization-layer server information through the host agents. Thevirtual-data-center agents are primarily responsible for offloadingcertain of the virtual-data-center management-server functions specificto a particular physical server to that physical server. Thevirtual-data-center agents relay and enforce resource allocations madeby the VDC management server, relay virtual-machine provisioning andconfiguration-change commands to host agents, monitor and collectperformance statistics, alarms, and events communicated to thevirtual-data-center agents by the local host agents through theinterface API, and to carry out other, similar virtual-data-managementtasks.

The virtual-data-center abstraction provides a convenient and efficientlevel of abstraction for exposing the computational resources of acloud-computing facility to cloud-computing-infrastructure users. Acloud-director management server exposes virtual resources of acloud-computing facility to cloud-computing-infrastructure users. Inaddition, the cloud director introduces a multi-tenancy layer ofabstraction, which partitions VDCs into tenant-associated VDCs that caneach be allocated to a particular individual tenant or tenantorganization, both referred to as a “tenant.” A given tenant can beprovided one or more tenant-associated VDCs by a cloud director managingthe multi-tenancy layer of abstraction within a cloud-computingfacility. The cloud services interface (308 in FIG. 3) exposes avirtual-data-center management interface that abstracts the physicaldata center.

FIG. 9 illustrates a cloud-director level of abstraction. In FIG. 9,three different physical data centers 902-904 are shown below planesrepresenting the cloud-director layer of abstraction 906-908. Above theplanes representing the cloud-director level of abstraction,multi-tenant virtual data centers 910-912 are shown. The resources ofthese multi-tenant virtual data centers are securely partitioned inorder to provide secure virtual data centers to multiple tenants, orcloud-services-accessing organizations. For example, acloud-services-provider virtual data center 910 is partitioned into fourdifferent tenant-associated virtual-data centers within a multi-tenantvirtual data center for four different tenants 916-919. Eachmulti-tenant virtual data center is managed by a cloud directorcomprising one or more cloud-director servers 920-922 and associatedcloud-director databases 924-926. Each cloud-director server or serversruns a cloud-director virtual appliance 930 that includes acloud-director management interface 932, a set of cloud-directorservices 934, and a virtual-data-center management-server interface 936.The cloud-director services include an interface and tools forprovisioning multi-tenant virtual data center virtual data centers onbehalf of tenants, tools and interfaces for configuring and managingtenant organizations, tools and services for organization of virtualdata centers and tenant-associated virtual data centers within themulti-tenant virtual data center, services associated with template andmedia catalogs, and provisioning of virtualization networks from anetwork pool. Templates are virtual machines that each contains an OSand/or one or more virtual machines containing applications. A templatemay include much of the detailed contents of virtual machines andvirtual appliances that are encoded within OVF packages, so that thetask of configuring a virtual machine or virtual appliance issignificantly simplified, requiring only deployment of one OVF package.These templates are stored in catalogs within a tenant's virtual-datacenter. These catalogs are used for developing and staging new virtualappliances and published catalogs are used for sharing templates invirtual appliances across organizations. Catalogs may include OS imagesand other information relevant to construction, distribution, andprovisioning of virtual appliances.

Considering FIGS. 7 and 9, the VDC-server and cloud-director layers ofabstraction can be seen, as discussed above, to facilitate employment ofthe virtual-data-center concept within private and public clouds.However, this level of abstraction does not fully facilitate aggregationof single-tenant and multi-tenant virtual data centers intoheterogeneous or homogeneous aggregations of cloud-computing facilities.

FIG. 10 illustrates virtual-cloud-connector nodes (“VCC nodes”) and aVCC server, components of a distributed system that provides multi-cloudaggregation and that includes a cloud-connector server andcloud-connector nodes that cooperate to provide services that aredistributed across multiple clouds. VMware vCloud™ VCC servers and nodesare one example of VCC server and nodes. In FIG. 10, seven differentcloud-computing facilities are illustrated 1002-1008. Cloud-computingfacility 1002 is a private multi-tenant cloud with a cloud director 1010that interfaces to a VDC management server 1012 to provide amulti-tenant private cloud comprising multiple tenant-associated virtualdata centers. The remaining cloud-computing facilities 1003-1008 may beeither public or private cloud-computing facilities and may besingle-tenant virtual data centers, such as virtual data centers 1003and 1006, multi-tenant virtual data centers, such as multi-tenantvirtual data centers 1004 and 1007-1008, or any of various differentkinds of third-party cloud-services facilities, such as third-partycloud-services facility 1005. An additional component, the VCC server1014, acting as a controller is included in the private cloud-computingfacility 1002 and interfaces to a VCC node 1016 that runs as a virtualappliance within the cloud director 1010. A VCC server may also run as avirtual appliance within a VDC management server that manages asingle-tenant private cloud. The VCC server 1014 additionallyinterfaces, through the Internet, to VCC node virtual appliancesexecuting within remote VDC management servers, remote cloud directors,or within the third-party cloud services 1018-1023. The VCC serverprovides a VCC server interface that can be displayed on a local orremote terminal, PC, or other computer system 1026 to allow acloud-aggregation administrator or other user to accessVCC-server-provided aggregate-cloud distributed services. In general,the cloud-computing facilities that together form amultiple-cloud-computing aggregation through distributed servicesprovided by the VCC server and VCC nodes are geographically andoperationally distinct.

Event-Message Clustering Methods and Systems

FIG. 11 illustrates a simple example of event-message logging andanalysis. In FIG. 11, a number of computer systems 1102-1106 within adistributed computing system are linked together by an electroniccommunications medium 1108 and additionally linked through acommunications bridge/router 1110 to an administration computer system1112 that includes an administrative console 1114. As indicated bycurved arrows, such as curved arrow 1116, multiple components withineach of the discrete computer systems 1102 and 1106 as well as thecommunications bridge/router 1110 generate event messages which areultimately transmitted to the administration computer 1112. Eventmessages may be relatively directly transmitted from a component withina discrete computer system to the administration computer or may becollected at various hierarchical levels within a discrete computer andthen forwarded from an event-message-collecting entity within thediscrete computer to the administration computer. The administrationcomputer 1112 may filter and analyze the received event messages, asthey are received, in order to detect various operational anomalies andimpending failure conditions. In addition, the administration computercollects and stores the received event messages in a data-storage deviceor appliance 1118 as large event-message log files 1120. Either throughreal-time analysis or through analysis of log files, the administrationcomputer may detect operational anomalies and conditions for which theadministration computer displays warnings and informational displays,such as the warning 1122 shown in FIG. 11 displayed on theadministration-computer display device 1114.

FIG. 12 shows a small, 11-entry portion of a log file from a distributedcomputer system. In FIG. 12, each rectangular cell, such as rectangularcell 1202, of the portion of the log file 1204 represents a singlestored event message. In general, event messages are relatively cryptic,including generally only one or two natural-language sentences orphrases as well as various types of file names, path names, and, perhapsmost importantly, various alphanumeric parameters. For example, logentry 1202 includes a short natural-language phrase 1206, date 1208 andtime 1210 parameters, as well as a numeric parameter 1212 which appearsto identify a particular host computer.

There are a number of reasons why event messages, particularly whenaccumulated and stored by the millions in event-log files or whencontinuously received at very high rates during daily operations of acomputer system, are difficult to automatically interpret and use. Afirst reason is the volume of data present within log files generatedwithin large, distributed computing systems. As mentioned above, alarge, distributed computing system may generate and store terabytes oflogged event messages during each day of operation. This represents anenormous amount of data to process, even were the individual eventmessages highly structured and precisely formatted to facilitateautomated processing. However, event messages are not so structured andformatted, which is a second reason that continuously received eventmessages and event logs are difficult to automatically interpret andanalyze. They are even more difficult to manually analyze and interpret,by human system administrators and system analysts. Event messages aregenerated from many different components and subsystems at manydifferent hierarchical levels within a distributed computer system, fromoperating system and application-program code to control programs withindisk drives, communications controllers, and other suchdistributed-computer-system components. The event messages may begenerated according to a variety of different event-message structuringand formatting approaches used by various different vendors andprogrammers. Even within a given subsystem, such as an operating system,many different types and styles of event messages may be generated, dueto the many thousands of different programmers who contribute code tothe operating system over very long time frames. A third reason that itis difficult to process and analyze event messages is that, in manycases, event messages relevant to a particular operational condition,subsystem failure, or other problem represent only a tiny fraction ofthe total number of event messages that are received and logged.Searching for these relevant event messages within an enormous volume ofevent messages continuously streaming into anevent-message-processing-and-logging subsystem of a distributed computersystem may itself be a significant computational challenge. Whiletext-search methodologies may be employed to search for relevant datawithin large log files, such methods are generally quite time-consumingand imprecise. A fourth problem associated with event messages in large,distributed computer systems is that storing and archiving event logsmay itself represent a significant computational challenge. Given thatmany terabytes of event messages may be collected during the course of asingle day of operation of a large, distributed computer system,collecting and storing the large volume of information represented byevent messages may represent a significant processing-bandwidth,communications-subsystems bandwidth, and data-storage-capacitychallenge, particularly when it may be necessary to reliably store eventlogs in ways that allow the event logs to be subsequently accessed forsearching and analysis.

The methods and systems for processing, classifying, and efficientlystoring event messages, collectively referred to as “event-clusteringmethods and systems,” have been devised to address the above-mentionedchallenges associated with event-message processing and analysis as wellas additional deficiencies and problems associated with currentlyavailable event-message processing, analysis, and storage. FIG. 13illustrates the event-message-processing approach represented by certainof these methods and systems. In FIG. 13, a traditional event log 1302is shown as a column of event messages, including the event message 1304shown within inset 1306. The methods and systems to which the currentdocument are directed automatically process event messages, as they arereceived, in order to transform the received event messages into eventrecords, such as event record 1308 shown within inset 1310. The eventrecord 1308 includes a numeric event-type identifier 1312 as well as thevalues of parameters included in the original event message. In theexample shown in FIG. 13, a date parameter 1314 and a time parameter1315 are included in the event record 1308. The remaining portions ofthe event message, referred to as the “non-parameter portion of theevent message,” is separately stored in an entry in a table ofnon-parameter portions that includes an entry for each type of eventmessage. For example, entry 1318 in table 1320 may contain an encodingof the non-parameter portion common to all event messages of type a12634(1312 in FIG. 13). Thus, the methods and systems to which the currentdocument is directed have the effect of transforming traditional eventlogs, such as event log 1302, into stored event records, such asevent-record log 1322, and a generally very small table 1320 withencoded non-parameter portions, or templates, for each different type ofevent message.

The event-record log, such as event-record log 1322, and other types ofaccumulations of event records have numerous advantages over atraditional event-message log. A first advantage is that each eventrecord is typed. Because the event records are typed, the event-recordlog can be easily searched, partitioned, and otherwise processed basedon event-message types, which produces a significant computationaladvantage for downstream event-analysis and event-interpretationsystems. A second advantage is that, as shown in FIG. 13, event-recordlogs are significantly compressed with respect to traditionalevent-message logs. Because only one copy of the non-parameter portionof each type of event message needs to be stored in the associatedtable, a significant data compression is achieved by the methods andsystems to which the current document is directed. The compressionratios achieved depend on the average ratio of non-parameter charactersto parameter characters in event messages. In many cases, compressionratios of between 2:1 and 10:1 can be achieved by storing event recordsrather than event messages. Because terabytes of event messages may becollected on a daily basis within a large, distributed computing system,this potential rate of data compression represents a significantdecrease in computational and hardware-usage overheads. A thirdadvantage of event-record logs in comparison to event-message logs isthat the event-record logs are fully and uniformly structured, whichadditionally facilitates downstream automated analysis andinterpretation. The downstream analysis and interpretation systemsdirectly acquire relevant parameters and an event type from an eventrecord, without the need for parsing and typing a large variety ofdifferent types of event messages.

Returning briefly to FIG. 11, it should be noted that the simple exampleillustrated in FIG. 11 fails to illustrate the entire problem spaceaddressed by the methods and systems to which the current document isdirected. In large, distributed computing systems, for example, it wouldbe impractical to funnel all event messages to a single administrationcomputer. Instead, processing, analysis, and storage of event messagesis typically carried out by multiple discrete computer systems and istherefore also distributed. As a result, methods and systems forprocessing, typing, and efficiently storing event messages need to beboth scalable and distributable over multiple computer systems in orderto be generally useful over a range of different types of distributedcomputing systems as well as over significant time frames during whichdistributed computing systems may increase in size due to continuousaddition of new processing components. The distributedvirtual-data-center and virtual-cloud management systems discussed inthe first subsection of the current document are examples of systems inwhich event-message processing, typing, and storage may be distributedover multiple computational nodes.

In the current application, the phrase “event-message-clustering system”refers to any of various standalone systems as well as subsystems andcomponents of standalone systems and systems within distributedcomputing systems that carry out event-message clustering by theevent-message-clustering methods to which the current document isdirected. The phrase “event message” refers to any of various types ofinformation entities include parameters and non-parametric portions towhich the currently described clustering-based typing methods can beapplied.

FIG. 14A illustrates one implementation of clustering methods andsystems. Rectangles 1402-1406 represent incoming event messages to anevent-message-clustering system. The event-message-clustering systemincludes an event-processing-and-distribution component 1410 andmultiple clusters of event records 1412-1422. Each cluster includesstored event records, such as the stored event records 1424 of cluster1412, and a cluster identifier, such as cluster identifier 1426 ofcluster 1412. The event-message-clustering system 1410 processes eachreceived event message to transform the received event message into anevent record and determines to which cluster to assign the event record.The clusters represent a typing scheme for event messages. In otherwords, each cluster represents a message type. Theevent-message-clustering system 1410 operates in real time to transformevent messages into event records and to type the event messages byassigning each event record corresponding to an event message to aparticular cluster. The stored event records may be accessed bydownstream event-analysis and event-interpretation systems. In certainimplementations, the event records may be physically stored by separatesystems. Event records may not only be accessed by other entities, butmay be periodically flushed to event-record archives, copied todownstream event-record-processing components, and transferred todownstream event-record-processing components. Initially, when a clusteris first initialized and begins storing events, the cluster may storeunprocessed event messages rather than event records for an initialperiod of time. Only when a sufficient number of event messages of aparticular type have been accumulated can downstream analysis componentsprovide tools to the event-message-clustering system that allow theevent-message-clustering system 1410 to transform event messages intoevent records.

FIG. 14B illustrates processing of a first event message. Initially,there are no clusters. The first received event message 1430 initiatescreation of a first cluster 1432 to which thecluster-distributor-component 1434 of the event-message-clusteringsystem 1410 assigns the first event message. A temporary identifier 1436is assigned to the first cluster.

FIG. 14C illustrates processing of a second message. The second eventmessage 1440 is analyzed by the cluster distributor 1434 as representedby the logic shown in inset 1442. In step 1444, the cluster distributorreceives the second message and, in step 1446, computes a numeric metricm for the received event message. In conditional step 1448, the clusterdistributor determines whether the computed metric is close to themetric 1436 assigned to the first cluster. If the computed metric m forthe second event message is sufficiently close to the metric 1436assigned to the first cluster, then the second message is added to thefirst cluster 1450. Otherwise, a new cluster is created 1452 and thesecond event message is added to the new cluster 1454. The metriccomputed for the second event message m is assigned as the metricassociated with the new, second cluster 1456. Subsequently receivedevent messages are similarly processed. Either a subsequently receivedevent message is assigned to an existing cluster, when a metric computedfor the subsequently received event message is sufficiently close to ametric for an existing cluster, or a new cluster is created and thesubsequently received event message becomes the first event messageassigned to the new cluster. Thus, clusters are created dynamically asevent messages are received and processed.

FIGS. 15-20 illustrate one implementation of the logic used by anevent-message-clustering system to compute a metric for a received eventmessage that allows the event message to be assigned to a particularexisting cluster. FIG. 15 illustrates one implementation of anevent-message-normalization procedure that is used to prepare an eventmessage for computation of a metric. The received event message 1502 isfirst tokenized by considering the event message to consist of tokensseparated by non-printing characters, referred to as “white space.” InFIG. 15, this initial tokenization of the event message 1504 isillustrated by underlining of the printed or visible characters. Forexample, the date 1506, time 1508, and vertical bar 1510 at thebeginning of the text contents of the event message 1502, followinginitial tokenization, become a first token 1510, a second token 1511,and a third token 1512, as indicated by underlining.

Next, an initial token-recognition pass is made to recognize any of theinitial tokens as various types of parameter values. Parameter valuesare tokens or message fields that are likely to be highly variable overa set of messages of a particular type. Date/time stamps, for example,are nearly unique for each event message, with two event messages havingan identical date/time stamp only in the case that the two eventmessages are generated within less than a second of one another.Additional examples of parameters include global unique identifiers(“GUIDs”), hypertext transfer protocol status values (“HTTP statuses”),universal resource locators (“URLs”), network addresses, and other typesof common information entities that identify variable aspects of a typeof event. By contrast, the phrase “transmission failure” in eventmessage 1502 likely occurs within each of a large number oftransmission-failure event messages. In FIG. 15, the recognized tokensin the event message following initial token recognition 1516 areindicated by shading. In the example shown in FIG. 15, initial tokenrecognition determines that the first token 1510 is a date, the thirdtoken 1512 is a time, and the seventh token 1518 is a media accesscontrol address (“MAC address”). Various types of symbolically encodedvalues, including dates, times, machine addresses, network addresses,and other such parameter values can be recognized using regularexpressions or programmatically. For example, there are numerous ways torepresent dates. A relatively simple program or a simple set of regularexpressions can be written to recognize symbolically encoded dates inany of the common formats. It is possible that the token-recognitionprocess may incorrectly determine that an arbitrary alphanumeric stringrepresents some type of symbolically encoded parameter when, in fact,the alphanumeric string only coincidentally has a form that can beinterpreted to be a parameter value. The currently described methods andsystems do not depend on absolute precision and reliability of theevent-message-normalization process. Occasional misinterpretationsgenerally do not result in mistyping of event messages and, in the rarecircumstances in which event messages may be mistyped, the mistyping ismost often discovered during subsequent processing. Relativelycomputationally straightforward processing methods are adopted in thecurrently described methods and systems for normalization and typing ofevent messages, because event messages are generally continuouslyreceived at high rates, as a result of which the computational overheadassociated with processing of each event message represents asignificant constraint.

In certain implementations, normalization may terminate followinginitial token recognition. In the implementation illustrated in FIG. 15,the event message is subject to an additional token-recognition stepafter re-tokenizing the non-parameter portions of the event message byremoving punctuation and separation symbols, such as brackets, commas,and dashes that occur as separate tokens or that occur at the leadingand trailing extremities of previously recognized tokens, as shown byunderlining in the event message 1520 in FIG. 15. After removal of thepunctuation and separation symbols, an additional token-recognition passin the example of FIG. 15 recognizes additional types of symbolicallyencoded parameter values, including the three version-4Internet-protocol (“IPv4”) addresses 1522-1524 in event message 1524.

Those tokens that have been recognized in the two token-recognitionpasses are considered to be parameters, denoted “P1,” “P2,” . . . “P6”in the parameterized event message 1526 in FIG. 15. The remaining tokens1528-1532 represent the non-parameter tokens present within the eventmessage. A final pass may involve promoting one or more of thenon-parameter tokens to parameters based on certain criteria. Forexample, token 1529 in the parameterized event message 1526 might beconsidered to be a parameter value that represents the identifier of aserver. In the example shown in FIG. 15, however, no additional tokensare promoted to the status of parameter values following the final pass1534. The result of normalization is therefore a sequence ofnon-parameter tokens interspersed with parameter values 1534 and a table1536 that shows the type and symbol encodings for the parameter values.There are many computational techniques for encoding a list ofnon-parameter tokens recognized within an event message including, asone example, a list of pointers and associated string lengths.

FIG. 16 illustrates the computation of the Adler cyclic redundancy check(“CRC”) value from a token comprising a string of characters. As shownat the top of FIG. 16, the token can be thought of as an array ofcharacters 1602S. Two 16-bit values A_(n) and B_(n) are computed asindicated by the recursive expressions 1604 in FIG. 16. The high and lowbytes of the two 16-bit values A_(n) and B_(n) are arranged 1606 into a32-bit value that constitutes the Adler CRC for the token. The Adler CRCvalues are computed, in many cases, to recognize corruptions of a tokenfollowing network transmission or other such operations. Small one-bitand two-bit transmission errors result in very different Adler CRCvalues computed for the original token and corrupted token receivedthrough an error-introducing communications medium. In oneimplementation of the currently described methods and systems, the AdlerCRC is used for computing a metric m for an event message.

FIG. 17 illustrates computation of a metric m for an event message. Incertain implementations of the currently described methods and systems,the metric m is a vector of integer values. This vector, referred to asa “feature vector,” can be thought of as being computed by amatrix-multiplication-like operation. In FIG. 17, the feature vector v1702 is produced by a matrix-multiplication-like operation in which amatrix-like vector of m functions 1704, each of which takes n argumentsis multiplied by a vector of non-parameter tokens identified within anevent message 1706 to produce the feature vector v 1702. The number ofelements, or number of dimensions, of the feature vector v is equal tothe number of functions in the matrix-like function vector f and thenumber of arguments supplied to each function n is equal to the numberof non-parameter tokens n in the ordered set of non-parameter tokens Tcorresponding to an event message.

FIGS. 18A-C illustrate computation of the distance between two pointsrepresented by vectors. Vectors of dimension n can be thought of asdirected distances in an n-dimensional space or as the coordinates forpoints in an n-dimensional space, where the ray between the origin andthe point is equal to the directed distance represented by the vector.FIG. 18A illustrates vector subtraction, in which a vector v 1802 issubtracted from a vector u 1804 to produce the result vector u−v 1806.FIG. 18B shows the computation of the dot product u−v of two vectors uand v. The dot product 1808 can be viewed as a matrix multiplicationbetween the transpose of the first vector 1810 and the second vector1812. FIG. 18C illustrates computation of the distance between twopoints represented by two vectors u and v. First, a displacement vectord is computed as u−v 1814. Then, the length of the displacement vectoris computed as the square root of the dot product of the displacementvector 1816. The distance between two event messages can be similarlycalculated as the square root of the dot product of the difference, ordisplacement vector, computed from the two feature vectors correspondingto the two event messages. Thus, the metric m computed by oneimplementation of the event-message-clustering system, discussed inFIGS. 14A-C, is a feature vector and an event message is assigned tothat cluster for which the distance between the event message and thefirst event message assigned to the cluster is minimal. In other words,the clusters represent regions in an m-dimensional space that containsimilar event messages.

FIGS. 19 and 20 illustrate one particular implementation for computingfeature vectors and the distance between event messages represented byfeature vectors. As shown in FIG. 19, the function ƒ_(i)( ) forcomputing the value of element i of a feature vector, in the describedimplementation, is:

${f_{i}(T)} = {\begin{matrix}{\arg \mspace{11mu} \max} \\j\end{matrix}{\left( {\left\lbrack {{P_{i}*{{Adler}\left( t_{j} \right)}} + Q_{i}} \right\rbrack {mod}\mspace{14mu} 0{xffffffff}} \right).}}$

In essence, the function ƒ_(i)( ) computes, for each non-parameter tokent_(j) in the event message T, the Adler CRC value, multiplies the AdlerCRC value for t_(j) by a first constant, and then adds a second constantto the product of the Adler CRC value for t_(j) and the first constant.The result is truncated to a 32-bit value using a mod operation. Thefunction ƒ_(i)( ) returns the maximum of these computed values for eachof the non-parameter tokens. FIG. 19 provides an example using theexample tokenized event message 1534 of FIG. 15. The non-parametertokens together comprise an ordered set of tokens T 1904. The functionƒ_(i)( ) computes a 32-bit value h_(j) for each non-parameter tokent_(j) as shown in the set of five expressions 1906. The function ƒ_(i)() returns the maximum of these computed values 1908.

FIG. 20 illustrates computing the distance between two event messagesrepresented by two feature vectors computed for the two event messages.FIG. 20 shows a first feature vector u 2002 corresponding to one eventmessage and a second feature vector v 2004 corresponding to anotherevent message. To compute the distance between the two event messages, adisplacement feature vector d 2006 is first computed. Because the valuesof the feature-vector elements are computed based on Adler CRC values,differences between elements do not correspond to distances inparticular dimensions, since CRC functions tend to produce verydifferent values for different, but similar tokens. Therefore, when twocorresponding elements of two feature vectors are identical, and theirdifferences equal to zero, then the distance-metric for these elementvalues is zero, but when the difference between two correspondingfeature-vector element values is non-zero, it can only be concluded thatthe corresponding feature-vector element values are different and thusare separated by some distance in the corresponding dimension. In thedescribed implementation, all non-zero element values in thedisplacement vector 2006 are replaced by the value “1” to produce amodified displacement vector d′ 2008. The square root of the dot productof the modified displacement vector 2010 is equal to the number ofnon-matching feature-vector elements in the two feature vectors u and vor, equivalently, to the number of non-zero elements in the modifieddisplacement vector d′. However, the square root of the dot product ofthe modified displacement vector is a type of displacement-based metric,just not the familiar Euclidean, or L2, distance metric. Were asimilarity-preserving hash function used, rather than the Adler CRC, incomputing the feature vector, a stepwise distance metric closer to theL2 distance metric would be computable from the feature vectorsrepresenting two event messages.

FIG. 21 illustrates an implementation of the event-message-clusteringsystem to which the current document is directed at a greater level ofdetail than, but using the same illustration conventions as used in,FIG. 14A. In FIG. 21, the event-message-clustering system includesevent-message-processing logic 2102, a distributor component 2104, and aset of n clusters 2106-2116. Each cluster includes a number of assignedevent records, such as the assigned event records 2118 for cluster 2106,a feature vector for the cluster, such as feature-vector 2120 forcluster 2106, a cluster identifier, such as cluster identifier 2122 forcluster 2106, and a processing function, such as processing function2124 for cluster 2106, that can be used by the event-message-clusteringsystem to parse an event message in order to extract parameter valuesfrom the event message. As discussed above with reference to FIG. 14A,after a cluster is first created, the cluster temporarily stores eventmessages, rather than event records, and is associated with a temporaryID and no parsing function. However, once downstream analysis systemshave analyzed an initial set of event messages associated with, orassigned to, the cluster, the downstream analysis systems provide afinal identifier and parsing function for the cluster to theevent-message-clustering system. When a next event message 2130 isreceived by the event-message-clustering system, the event message isnormalized 2142, as discussed above with reference to FIG. 15, and afeature vector v_(r) 2134 is computed for the normalized event message,as discussed above with reference to FIGS. 16-18. The computed featurevector v_(r) is compared with all of the feature vectors for the nclusters to determine a cluster i associated with feature vector v_(i)for which the distance d computed for v_(r) and v_(i) is minimal 2136.When d is less than a threshold value 2138, the event message isprocessed using function ƒ_(i) associated with cluster i to produce acorresponding event record which is output, along with the cluster indexi, to the distributor subcomponent 2104. Otherwise, when d is not lessthan the threshold 2138, a new cluster is created with index i=n+1, thefeature vector computed for the received event message v_(r) isassociated with this cluster 2142, and the received event message ispassed, along with the cluster index, to the distributor subcomponent2104. The distributor subcomponent 2104 then assigns the event messageor event record to the cluster with index i. Again, the event messagesand event records associated with clusters may be physically stored bythe event-message-clustering system or may be stored by anothercomponent, with the event-message-clustering system either returningevent messages and event records to requesting downstream components orreferences to event messages and event records stored in anothercomponent. Event records and event messages may be deleted formclusters, copied to other locations, and periodically archived.

The feature-vector-based typing of event messages provides a firstestimate of event-message classification. However, downstream analyticalcomponents that analyze event messages may determine that two or moreclusters represent a single event-message type and may therefore requestthat the clusters corresponding to these types be merged together.Similarly, downstream analytic components may determine that the eventmessages in a particular cluster actually have two or more differenttypes and may therefore request the event-message-clustering system tosplit the cluster into two or more clusters. The merge and splitoperations thus allow a refinement or fine tuning of the initialfeature-vector-based event-message typing carried out by theevent-message-clustering system.

FIG. 22 illustrates a cluster-merge operation. The left portion of FIG.22 shows n existing clusters 2202 within the event-message-clusteringsystem. A downstream component requests that clusters C₂ and C₄ bemerged together. As a result, the event-message-clustering systemcreates two rules 2204 that indicate that event messages initially typedto belong to C₂ and C₄ now belong to a new cluster C_(n+1). The newcluster 2206 is created to store subsequently received event messagesthat were previously typed as belonging to clusters C₂ and C₄ andclusters C₂ and C₄ 2208-2209 are marked 2210 and 2211, respectively, toindicate that they will no longer be receiving event records and that,after a period of time, may be removed or returned to a pool forreallocation.

FIG. 23 illustrates a cluster-split operation. In an example shown inFIG. 23, a downstream component requests that a cluster C₂ be split intotwo new clusters. The downstream component additionally provides afunction S₂( ) that takes either a feature vector v_(r) or an eventrecord, as an argument, and returns an indication of which of two ormore clusters to assign an event record. In response to the splitrequest, an event-message-processing system adds a split rule 2302 to aset of stored rules that indicates that an event message assigned tocluster C₂ should now be assigned to the cluster returned by a call tothe function S₂( ) where the function S₂( ) returns either C_(n+1) orC_(n+2). In addition, the event-message-clustering system creates thetwo new clusters C_(n+1) and C_(n+2) 2304 and 2306. Finally, theevent-message-clustering system marks 2308 cluster C₂ 2310 as no longerreceiving event records and as a candidate for removal or reallocationafter some period of time. Note that, in the implementation described inFIGS. 22 and 23, new clusters created as a result of merge and splitoperations are not associated with feature vectors, since event recordsare directed to these clusters in two steps, the last of which involvesapplying a redirection rule, such as the redirection rules 2204 and2302. In alternative implementations, rather than using CRC functionsfor computing feature vectors, similarity-preserving hash functions mayinstead be used, as a result of which distances computed as themagnitude of displacement computations on feature vectors may correspondto the degree of dissimilarity between event messages represented by thefeature vectors. In this case, the event-message-clustering system maybe able to use adjustable thresholding and newly computed featurevectors associated with merge and split clusters in order to directevent messages to appropriate clusters based on the computed featurevectors as in the logic 2102 discussed above with FIG. 21.

FIG. 24 provides a final illustration of one implementation of theevent-message-clustering system to which the current document isdirected. FIG. 24 uses similar illustration conventions as used in FIGS.21 and 14A. The event-message-clustering system includesevent-message-processing logic 2402 which includes initial clusterdetermination logic 2104 and table-driven cluster-determinationrefinement logic 2406. The initial cluster determination logic 2404normalizes an input event message, computes a feature vector from thenon-parameter tokens within the normalized event message, and uses thefeature vector to identify a cluster to which to assign the eventmessage. The table-driven cluster-determination-refinement logic 2406applies redirection rules in a table of redirection rules in order tocarry out any specified redirection of the initial cluster determinationthat results from previous merge and split operations, as discussedabove with reference to FIGS. 22 and 23. The distributor subcomponent2408 and clusters 2410 are similar to those described with reference toFIG. 21. The event-message-clustering system additionally includes atable of redirection rules 2412 and a table of static portions for eachmessage type 2414 that allow the event-message-clustering system toregenerate original event messages from event records should theoriginal event messages be needed. The table of redirection rules 2412includes at most one entry for each cluster identifier. A particularcluster may be associated with a single redirection rule or may not beassociated with a redirection rule. As discussed above, the redirectionrules either indicate to which cluster an event message initiallydesignated as belonging to a first cluster should be forwarded orincludes a rule that uses a function to determine to which cluster toforward an event message initially determined to belong to a clusterthat was subsequently split. When a redirection rule is applied to afirst cluster indication to generate a second cluster identification,the redirection-rule table is again accessed to determine whether thereis another redirection rule that may be applied to the second clusteridentification. In other words, redirection rules are iterativelyapplied until a cluster indication is obtained for which there is noredirection rule in the redirection-rule table.

FIG. 25 illustrates a process that extracts parameter values from anevent message. As discussed above, each cluster is associated with aparsing function that allows the event-message-clustering system toextract parameter values from the event message. In the example shown inFIG. 25, the function ƒ_(x) associated with a cluster corresponding toevent-message type x, when applied to a received event message of type x2502, returns an ordered list of parameter values extracted from themessage. The sorted list of parameter values can be assembled into anevent record 2504 that describes the received event message. The eventrecord may include a header with an indication of the event type 2506, alist of parameter values and associated parameter types 2508, and anyadditional information 2510 that an event-message-clustering system maychoose to associate with event records, including details with regard tofrom where the event message was received. A representation of thestatic, non-parameter portion of the message 2512 along with anindication of the message type 2514 may be stored in the static-portiontable (2414 in FIG. 24) to allow the original message 2502 to bereconstituted from the event record 2504 generated from the originalevent message.

The redirection rules stored by the event-message-clustering system maybe periodically analyzed in order to remove and archive unneededredirection rules. In addition, this analysis may recognize situationsin which some number of redirection rules can be replaced, often alongwith readjustments in the set of clusters managed by theevent-message-clustering system. FIGS. 26A-C illustrate examples ofediting of the redirection-rule table. In FIG. 26A, the redirection-ruletable includes two merge redirection rules 2602 and 2604 and asubsequently added split redirection rule 2606. As it turns out, thesplit redirection rule 2606 essentially reverses the merge operationrepresented by the two merge redirection rules 2602 and 2604. In thiscase, the clusters C₂ and C₅₁ can be re-established and the two mergeredirection rules 2602 and 2604 removed, temporarily leaving the splitrule 2606 to allow event messages that were typed as belonging tocluster C₁₀₀ to be retyped during subsequent processing, as shown in theintermediate redirection-rule table 2610. Ultimately, once all eventrecords typed as belonging to cluster C₁₀₀ have been flushed orarchived, the split rule 2606 can be removed to completely restore theredirection table with respect to clusters C₂ and C₅₁ 2612.

FIG. 26B shows another example of redirection-rule-table editing. Inthis example, cluster C₂ was split, as a result of which the split rule2620 was added to the redirection-rule table. Subsequently, merge rules2622 that reverse the split operation were added to the redirection-ruletable. In this case, the split rule 2620 can be removed and the originalcluster C₂ re-established, producing an intermediary redirection-ruletable 2624. Once all the event records typed as belonging to eventsC₁₀₀, C₁₀₁, C₁₀₂, and C₂₀₀ have been removed and archived from theevent-message-clustering system, the merge rules and redirection rulecan be removed to restore the redirection-rule table to its initialcondition with respect to cluster C₂ 2626.

FIG. 26C shows yet an additional example of redirection-rule tableediting. In this example, the cluster C₂ was split three ways, resultingin the addition of redirection rule 2630 to the redirection-rule table2632. Subsequently, each of the new clusters created as a result of thesplit operation were again split, resulting in the addition of splitredirection rules 2634-2636. This set of split redirection rules can bemodified by creating a comprehensive split rule 2640 to directly splitcluster C₂ into the six clusters C₃₀₀, C₃₀₁, C₄₀₀, C₄₀₁, C₅₀₀, and C₅₀₁.The three split redirection rules 2634, 2635, and 2636 are maintaineduntil all event records typed as belonging to clusters C₂₀₀, C₂₀₁, andC₂₀₂ are removed and archived. Then, they can be removed leaving onlythe comprehensive split redirection rule 2640 in the redirection-ruletable 2642. FIGS. 26A-C illustrate a few simple examples ofredirection-rule-table editing and associated cluster reorganization.There are many additional, more complex examples in which chains andcycles of redirection rules can be removed from the redirection table.In addition, clusters can be periodically re-indexed in order tocompress the range of active cluster indexes.

FIGS. 27A-G provide control-flow diagrams that illustrate oneimplementation of the event-message-clustering system and methods usedwithin the event-message-clustering system to which the current documentis directed. FIG. 27A shows an event loop that continuously executeswithin the event-message-clustering system to processevent-message-related events. In step 2702, the event-message-clusteringsystem initializes storage for clusters, the static-portion table, andthe redirection-rule table discussed above with reference to FIG. 24.Then, in step 2704, the event-message-clustering system waits for a nextevent to occur. When the next event occurs, the type of event isdetermined in a series of conditional steps 2706, 2708, 2710, 2712, and2714. Once the event is handled, then, in step 2716, the event handlerdetermines whether or not there are more events queued for handling. Ifso, control returns to step 2706; otherwise, control returns to step2704. When the next-occurring event represents receipt of a nextincoming event message, as determined in step 2706, the routine“incoming message” is called in step 2707. When the next-occurring eventis receipt of a function and identifier for a cluster, as determined instep 2708, the routine “incoming function/identifier” is called in step2709. When the next-occurring event is a cluster-split request, asdetermined in step 2710, the routine “split” is called in step 2711.When the next-occurring event is a cluster merge request, as determinedin step 2712, the routine “merge” is called in step 2713. When thenext-occurring event is a request to flush processed event records, asdetermined in step 2714, the routine “flush” is called in step 2715.

In general, the event-message-clustering system continuously executesand handles any events related to event messages that occur within adistributed computing system. As indicated by ellipses in FIG. 27A,there are many additional types of events that may occur. Calls tohandlers that handle certain of the fully-automated clustering-relatedevents that may occur are shown in FIG. 27A, The handlers are describedbelow with reference to FIGS. 27B-G. However, may other events may occurand may be handled by various implementations of theevent-message-clustering system. As one example, certain implementationssupport interaction with system administrators and other users. In theseimplementations, an interface provided by the event-message-clusteringsystem on a system-administration computer or on remote systems allowssystem administrators and other authorized users to view event logs,edit event logs, archive event logs, monitor incoming event records inreal time, and to issue commands to the event-message-clustering system.These commands include, in certain implementations, commands that directthe event-message-clustering system to merge two or more clusters into asingle cluster, split a particular cluster into multiple clusters, add anew cluster, the new cluster defined by a feature vector, clusteridentifier, and parsing function provided by the user, remove anexisting cluster, and modify an existing cluster. In addition, incertain implementations, a user can identify types of classes of eventmessages that should be ignored and not processed and logged by theevent-message-clustering system. In these systems, initial clusteringmay be driven largely by manual input from a system administrator andmay, in fact, be manually driven over the entire course of event-recordlogging. For example, a manual configuration may direct event messagesto a single cluster, initially, after inspection of the contents ofwhich a system administrator my direct split operations and addadditional clusters through the administration interface. Alternatively,a system administrator may manually specify initial clusters and monitorevent-record logging for a sufficient time to ensure that the automatedclustering has a useful and accurate set of initial clusters, afterwhich automated clustering may increasingly assume responsibility forcluster management and event logging.

FIG. 27B provides a control-flow diagram for the routine “incomingmessage” called in step 2707 of FIG. 27A. In step 2718, the incomingevent message is received. In step 2719, the event message is initiallytokenized based on non-printing characters, as discussed above withreference to FIG. 15. In step 2720, a first pass of parameteridentification is carried out on the tokens produced in step 2719. Instep 2721, the non-parameter tokens may be re-tokenized to removepunctuation and characters used for separation purposes as well as toremove such characters from the leading and trailing extremities ofnon-parameter tokens. In step 2722, a second pass of parameteridentification is carried out in order to attempt to identify additionalparameter values among the non-parameter tokens. In step 2723, a featurevector v_(r) is computed based on the remaining non-parameter tokens.Computation of feature vectors is discussed with reference to FIGS.16-18, above. Finally, in step 2724, the routine “cluster” is called.

FIG. 27C provides a control-flow diagram for the routine “cluster”called in step 2724 of FIG. 27B. In step 2730, local variables d andbest are set to a large number and to null, respectively. Then, in thefor-loop of steps 2732-2737, each currently existing cluster identifiedby cluster index i is considered. In step 2733, the local variable nd isset to the computed distance between the event message represented bythe feature vector v_(r) and the feature vector v_(i) associated withthe currently considered cluster i. When nd is less than d, asdetermined in step 2734, the currently considered cluster is the bestcandidate cluster to which to assign the recently received eventmessage. In this case, d is set to nd and best is set to i, in step2735, in order to store the fact that a new best candidate cluster hasbeen found. When there are more clusters to consider, as determined instep 2736, index i is set to the next cluster index in step 2737 andcontrol returns to the top of the for-loop, in step 2733. When the valuestored in local variable d is less than a threshold value, as determinedin step 2738, then the redirection-rule table is checked to see if thereis a redirection rule for the cluster identified by the contents oflocal variable best. When there is a redirection rule for this cluster,as determined in step 2739, then the redirection rule is used todetermine a final value for best, the index of the cluster to which toassign the recently received event message, in step 2740. As statedabove, whenever a redirection rule is applied to generate a new valuefor best, the redirection-rule table needs to again be accessed in orderto determine whether there is a redirection rule for the clusterreferenced by the new value of best and, when there is a redirectionrule for the cluster referenced by the new value of best, the processcontinues until best references a cluster for which there is noredirection rule. In step 2742, the parsing function associated with thecluster identified by the contents of local variable best is used toprocess the recently received event message to generate an event recordand the event record is then in the cluster identified by the contentsof the local variable best, in step 2742. When d is not less than athreshold value, as determined in step 2738, then a new cluster iscreated and the feature vector v_(r) computed for the recently receivedevent message is associated with the new cluster, in step 2743. In step2744, the recently received event message is added to the new cluster.

FIG. 27D provides a control-flow diagram for the routine “incomingrule/identifier,” called in step 2709 of FIG. 27A. In step 2750, theroutine receives a parsing function and cluster identifier from adownstream event-message analyzing component as well as a secondidentifier i that can be used to identify the cluster for which the newidentifier and parsing function is provided. In step 2752, the routineassociates the parsing function and new identifier with the cluster i.Then, in the for-loop of steps 2754-2756, the routine “incomingrule/identifier” applies the new function to the event messagesassociated with the cluster to transform the event messages into eventrecords.

FIG. 27E provides a control-flow diagram for the routine “split,” calledin step 2711 in FIG. 27A. In step 2760, the routine “split” receives asplit request from a downstream event-message-analysis system. In step2761, the routine “split” determines the arity of the split request, n,and the cluster to be split from the split request. In step 2762, theroutine “split” initializes n new clusters with a set of correspondingcluster indices. In step 2763, the routine “split” adjusts the splitfunction included in the split request to return indexes for the newlycreated clusters in step 2763. Finally, in step 2764, the routine“split” enters a redirection rule in the redirection-rules table andmarks the cluster being split for subsequent removal.

FIG. 27F provides a control-flow diagram for the routine “merge.” Instep 2770, the routine “merge” receives a merge request. In step 2772,the routine “merge” determines the arity of the merge request, n, andinitializes a new cluster to receive event messages that would haveotherwise gone to the clusters being merged. Then, in the for-loop ofsteps 2774-2777, the routine “merge” enters a merge redirection rule inthe redirection-rules table to direct event messages that would havebeen directed to the clusters being merged to the new cluster. Thecurrently considered cluster that is being merged is marked for removalin step 2776. For both merge and split operations, various types oferror checking are carried out to ensure that inconsistent redirectionrules are not added to the redirection-rule table. For example, when acluster is already associated with a redirection rule, a split or mergeoperation directed to the cluster is considered to be an error, in manyimplementations.

FIG. 27G provides a control-flow diagram for the routine “flush” calledin step 2715 of FIG. 27A. In step 2780, the routine “flush” receives aflush request. When the flush request includes a request to remove eventrecords, as determined in step 2782, then, in step 2783, the routine“flush” removes the event records from clusters as requested, in certainimplementations archiving the removed event records or transferring theremoved event records to another entity. Following event-record removal,the routine “flush” determines whether any clusters marked for removalnow have no entries, in step 2784. When there are clusters marked forremoval with no entries, those clusters are removed and potentiallyreturned to a cluster pool for reallocation in step 2785. Finally, instep 2786, the redirection rule table is analyzed to remove unnecessaryredirection rules, potentially adding new clusters and marking no longerneeded clusters for removal as discussed above with reference to FIGS.27A-C. The routine “flush” may be periodically called by a flush-timerexpiration.

Parsing-Function Generation and Cluster Maintenance

One approach to identifying variables in event messages as well as togenerating parsing functions for event-message clusters is to useregular expressions. FIG. 28A illustrates regular expressionscorresponding to various types of formats in which dates may be encodedin event messages. In FIG. 28A, examples of numerous date formats areshown in a left column 2802 and corresponding regular expressions thatcan be used to identify substrings of symbols within a symbol stringrepresenting dates in the formats are provided in a right-hand column2804. Regular expressions are generally symbolic encodings of searchpatterns that can be applied to text in order to identify substrings.The details regarding various regular-expression syntaxes can be foundin numerous references. Regular expressions are widely used intext-processing programs and are included in many modern programminglanguages, including Peri, Ruby, Python, and C++ 11.

In one type of symbolic encoding of dates, a date 2806 can be expressedas a three-character indication of the month, followed by a space,followed by a one-digit or two-digit representation of the day of themonth, followed by another space, and finally followed by a four-digitrepresentation of the year. The regular expression 2808 represents asearch pattern that can be used to find symbolic encodings of dates, inthe format described with reference to date 2806 in FIG. 28A, in textand symbol strings. The parenthesized list of vertical-bar-delimitedthree-character month specifications 2810 indicates that any of thesethree-character month specifications may occur as the first part of thesymbolic encoding of a date. The “/s” 2811 indicates a singlewhite-space character, the bracketed digit range 2812 indicates that oneof the digits 0, 1, 2, or 3 may next occur, but the question mark 2813indicates that the digit may or may not be present, the “Id” 2814indicates that a single digit next occurs, the substring “20” 2815indicates that the digits 2 and 0 next follow, and the pair of “/d”substrings 2816 indicate that two additional digits next occur.

In general, there is not a unique one-to-one mapping between dateformats and regular expressions. Many different regular expressions canbe developed to represent a search pattern for any particulardata-encoding symbol format. Furthermore, more complex regularexpressions can be devised to more exactly specify the substrings thatcan represent a particular date format. For example, regular expression2808 would identify “Feb. 31 2014” within a symbol string as a date,but, of course, February 31^(st) is not a valid date. A more complicatedregular expression can be devised to exclude such invalid dates.

FIG. 28B illustrates construction of generalized regular expressionsthat identify two or more types of date formats. For example, regularexpression 2820 can be used to identify substrings representing datesencoded in either of the first and third date formats shown in theleft-hand column 2802 of FIG. 28A. These two different types of dateformats are similar, differing in that the month is fully spelled out inthe third format 2822 in FIG. 28A, rather than abbreviated, as in thefirst format 2806 and the third format includes a comma following theday, while the first format does not. Regular expression 2824 can beused to identify dates encoded in any of the first three formats 2806,2826, and 2822 illustrated by example in FIG. 28A. A generic regularexpression can be developed to recognize dates encoded in any of a verylarge number of different possible date-encoding formats. However, ingeneral, the more different formats recognized by a regular expression,the larger and more complex the regular expression. In many cases, it ismore computationally efficient to develop a number of regularexpressions to recognize a corresponding number of classes of dateformats and to apply the number of regular expressions iteratively totext in order to identify all the possible dates within the text. Themethods described below employ table-driven searching in which regularexpressions are successively extracted from a table and applied to anevent message in order to identify data encoded in particular formatsassociated with particular data types.

FIG. 28C illustrates an example of the use of regular expressions intext processing. First, as shown by expression 2830 in FIG. 28C, it iswell known that a regular expression 2832 can be transformed into anon-deterministic finite automata 2834. A non-deterministic finiteautomata can, in turn, be transformed into a deterministic finiteautomata 2836, and deterministic finite automata 2836 can be implementedas a computer routine 2838. In other words, a computer routine can bedeveloped to recognize substrings within text specified by any givenregular expression. These computer routines can be embedded withintext-processing routines, many examples of which can be found intext-processing applications and included in programming languages. Oneexample is a routine “find” that returns the indices of substringswithin an input string identified by an input regular expression. FIG.28C shows a declaration for the function “find” 2840. The functionreturns the number of substrings 2842 identified within an input string2844 that correspond to an input regular expression 2846 andadditionally returns, in an array of indices 2848, the indices of thestarting positions within the string of each identified substringcorresponding to the input regular expression. For example, when theinput regular expression indicates a succession of three digits 2850,input of the string 2852 to the function “find” returns the number 2(2854 in FIG. 28C) and the indices 2856 of two three-digit substrings.The initial symbols, or digits, of the two three-digit substrings areshown by arrows 2858-2859 in FIG. 28C.

FIG. 28D shows a representation of the deterministic finite automata2860 corresponding to the regular expression 2850 in the example shownin FIG. 28C. The deterministic finite automata is a state-transitiondiagram that includes an initial state 2862, a non-digit state 2864, andthree digit states, the last 2866 of which represents identification ofa three-digit substring. Arrows represent transitions between statesthat occur on input or consideration of a next symbol of a symbolstring. The identification of a three-digit substring can be recordedupon reaching the final digit state 2866.

Regular expressions can be used, in one implementation of the currentlydescribed event-message-clustering subsystem, to identify variableswithin an event message. FIGS. 29A-C illustrate implementation of aregular-expression-based variable-finding subsystem. FIG. 29A shows atable of data-type/regular-expression pairs 2902 that provides a basisfor variable identification. For each format or class of formats foreach different data type of variables in event messages, a regularexpression is stored in the table. In general, the table is ordered,with more specific data types occurring before, or higher in the tablethan, more generic encoded data. For example, date and time formats aregenerally readily recognized in text and are not ambiguous with respectto formats for other data types, and therefore occur higher in the tablethan more generic data types, such as integers. FIG. 29B shows a resultstable in which results of the variable-identifying subsystem are storedfor a particular processed event message. Each row in the results table2904, such as row 2906, represents an identified variable within anevent message. The variable is characterized by an index of the startingsymbol of the variable 2908, the length of the symbol stringcorresponding to the variable 2909, the row of the data-type table (2902in FIG. 29A) corresponding to the data type of the variable 2910, andthe substring that encodes the variable within the event message 2912.

FIG. 29C provides a control-flow diagram for a routine “find vars” thatidentifies variables within an event message. In step 2920, the routine“find vars” receives an event message to process, initializes a resulttable A, such as result table 2904 shown in FIG. 29B, and sets a localvariable j to 0. Then, in the for-loop of steps 2922-2930, the regularexpressions in the data-type table (2902 in FIG. 29A) are successivelyapplied to the received event message. In step 2923, a next regularexpression is extracted from the data-type table and used as input tothe above-described “find” function. When the number returned by thefunction “find” is greater than 0, as determined in step 2924, then allidentified occurrences of the data type corresponding to the regularexpression are entered into the result table in the inner for-loop ofsteps 2925-2929. Upon completion of the outer for-loop of steps2922-2930, the value stored in variable j is returned, in step 2932, asthe number of variables found in the event message. Note that, once avariable is identified and recorded in the result table, the symbolstring corresponding to the variable is replaced with white space in theevent message, in step 2927, preventing identification of overlappingvariables within the event message. It is for this reason that thedata-type/regular-expression pairs are ordered by descending specificityin the data-type table.

FIGS. 30A-B illustrate a general approach to generating a parsingfunction for an event-message cluster. FIG. 30A shows four very shortevent messages of a particular event-message cluster 3002-33005. FIG.30B illustrates a variety of different regular-expression-based parsingfunctions for the event-message cluster positioned along a verticaldimension of specificity 3006. The most specific parsing function 3008is the literal string corresponding to the first event message 3002.This parsing function would be very effective for recognizing the firstevent message, but would fail to recognize any of the other eventmessages in the cluster. Thus, parsing function 3008 is far too specificto be used as the parsing function for a cluster containing the fourevent messages. By contrast, the most generalized parsing function 3020would return success for all four of the event messages 3002-3005 in thecluster. However, this generic parsing function would return successwhen applied to any event message. A useful parsing function for thecluster 3012 represents a balance, in specificity, between the mostgeneral parsing function 3010 and the most specific parsing function3008. In the useful parsing function 3012, a regular expression that canbe applied to event messages, the common static portions of the eventmessages within the cluster are represented by literals, including thesubstring “Error” and the substring “returned.” The variable substringswithin the event messages are represented, in the regular expression3012, by the regular sub-expression “(.*),” which matches any substring,including an empty substring. Finding an appropriateregular-expression-based parsing function for a cluster of eventmessages thus involves generating a regular expression that represents aspecificity balance and that can be used to extract the variableportions of the event messages of a cluster.

Next, one approach to generating useful parsing functions forevent-message clusters is described. FIGS. 31A-C illustrate acomputational method for identifying the static or conserved substringswithin a cluster of event messages. FIG. 31A provides an illustratedexample of the common-substring-recognizing method. In a left column3102 of FIG. 31A, successive event messages within an event-messagecluster are shown. A right-hand column 3104 of FIG. 31A shows acurrently recognized common substring for the cluster as the methodconsiders, in turn, each successive event message within the cluster.Following consideration of the first event message 3106, the commonsubstring is the entire first event message 3108. This common substring3108 is next considered with respect to the second event message 3110.Comparison of the common substring 3108 to the second event message 3110reveals that, following consideration of the first two event messages inthe cluster, there are two common substrings 3112 and 3114. These twocommon substrings 3112 and 3114 represent the common portions ofprevious common substring 3108 and the second event message 3110. Next,the common substrings 3112 and 3114 are compared to the third eventmessage 3116. As a result of this comparison, two new common substrings3118 and 3120 are produced. This process continues with consideration ofsubsequent event messages to produce common substrings 3122 and 3123which, should the remaining event messages in the cluster follow thesame pattern followed by the initial five event messages in the cluster,represent the common or static portions of all of the event messageswithin the cluster. These two common substrings 3122-3123 can then beused to create an initial regular expression 3124 as the basis for aparsing function for the event messages of the cluster. This initialregular expression includes the literal strings for the two commonsubstrings and regular-expression sub-expressions “(.*)” for thevariable portions of the event messages.

FIGS. 31B-C provide control-flow diagrams that illustrate the method,described above with reference to FIG. 31A, for finding the common orstatic portions of the event messages of a cluster and creating aregular expression, such as regular expression 3124 in FIG. 31A, as thebasis for an initial parsing function for the event messages of thecluster. FIG. 31B provides a control-flow diagram for the routine“common part,” which implements the method illustrated in FIG. 31A. Instep 3130, the routine “common part” receives n event messages of acluster. In step 3131, the routine “common part” sets a list ofsubstrings, common, to the first event message in the received eventmessages of the cluster. Then, in the for-loop of steps 3132-3136, aroutine “filter,” described below, is iteratively applied to the list ofsubstrings common and the next or currently considered event message ofthe cluster in order to continue to reduce the one or more substrings inthe list of substrings “common” to only the static or conserved portionsof all of the event messages of the cluster, as discussed above withreference to FIG. 31A. The list of substrings, common, is set to thelist returned by the routine “filter” in each iteration. Finally, instep 3138, a regular expression, such as regular expression 3124, iscreated from the substrings remaining in the list of substrings common,as discussed above with reference to FIG. 31A.

FIG. 31C provides a control-flow diagram for the routine “filter” calledin step 3133 of FIG. 31B. In step 3140, the routine “filter” receives alist of substrings s and a next event message e. Next, in step 3142, theroutine “filter” sets local variables cov to 0, numSubstrings to a largeinteger, and newS to null. The variable newS references a list ofsubstrings produced by comparing the input list of substrings s with anext event message e. In the for-loop of steps 3144-3148, all possiblemappings of the substrings in the received list of substrings s onto thenext event message e are considered. These mappings represent attemptsto partially or fully overlay the ordered list of substrings onto theevent message. The coverage of such a mapping is the number of symbolsin the event message overlaid with corresponding symbols in thesubstrings. The substrings may be fractured into multiple, smallersubstrings, in order to carry out a mapping. When either the coverage ofthe currently considered mapping is greater than a coverage value storedin the local variable cov, as determined in step 3145, or when coverageof the currently considered mapping is equal to the value stored in thelocal variable cov and the number of substrings m in the currentlyconsidered mapping is less than the value stored in the local variablenumSubstrings, as determined in step 3146, the local variable newS isset to a list of substrings corresponding to the current mapping, cov isset to the coverage of the current mapping, and numSubstrings is set tothe number of substrings in the current mapping, in step 3147. Followingcompletion of the for-loop of steps 3144-3148, the list of substringsnewS is returned in step 3150. Note that is possible for newS to be nullor the empty substring.

Following generation of an initial regular expression, as discussedabove, a more specific regular expression can be obtained by identifyingencoded data within the variable portions of the event messages. FIGS.32A-B illustrate this process. In FIG. 32A, the same event messages3202-3206 used in the example of FIG. 31A are again shown. The initialregular expression obtained using the method discussed above withreference to FIGS. 31A-C can be applied to each event message, using afunction similar to the previously described “find” function, toidentify substrings corresponding to sub-regular expressions within theinitial regular expression. In the example shown in FIG. 32A, thefind-like function is used to identify those substrings within eachevent message corresponding to the variable portions specified by thesub-regular expressions “(.*)” in the initial regular expression. Thesesubstrings are linked together as a list. For example, applying theinitial regular expression to the first event message 3202 produces thelist of two substrings 3210-3211 that contain the variable portions ofthe first event message.

FIG. 32B illustrates a next step in the process of creating a morespecific regular expression. In FIG. 32B, the lists of substringsrepresenting variable portions of event messages, such as the list thatincludes substrings 3210 and 3211, are converted into lists of datatypes contained within the variable portions. In the current example,substring 3210 is recognized as an IP address 3212 and substring 3211 isrecognized as a time 3214. In this case, there are no remainingnon-data-type-encoding symbols in the substrings. As shown in FIG. 32B,all of the lists of substrings corresponding to variable regions of thefive event messages 3202-3206 are converted into corresponding lists ofdata types 3216-3220. Thus, the variable portions of the event messageshave been transformed into lists of data types, allowing the initialregular expression to be transformed into a more specific regularexpression that can serve as the basis for a parsing function that canbe used to extract variable data from each event message of a cluster.

FIGS. 33A-C provide control-flow diagrams for a function “generate RE”that generates a parsing function, based on a regular expression, for anumber of event messages within a cluster. FIG. 33A provides acontrol-flow diagram for the highest level of the function “generateRE.” In step 3302, the function “generate RE” receives a set of eventmessages E. In step 3304, the function “generate RE” calls thepreviously described function “common part” to obtain an initial regularexpression that can be used to extract the variable substrings from theevent messages, as discussed above with reference to FIG. 32A. In thefor-loop of steps 3306-3308, the routine “generate RE” applies theinitial regular expression to each of the event message in E to extractlists of substrings corresponding to the variable regions in the eventmessages. Then, in step 3310, the routine “generate RE” calls a routine“final expression I” to process the lists of variable substrings inorder to generate a final regular expression and a data-table templatethat together represent a basis for a parsing function applicable to theevent messages of a cluster.

FIG. 33B provides a control-flow diagram for the routine “finalexpression I,” called in step 3310 of FIG. 33A. The routine “finalexpression I” includes three nested for-loops. The outer for-loop,comprising steps 3320-3329, considers each event message e in E. Amiddle-level for-loop of steps 3321-3328 considers each variablesubstring extracted from the currently considered e. The inner for-loopof steps 3322-3327 considers each entry in the data-type tablepreviously discussed, above, with reference to FIG. 29A. In these threenested for-loops, any encoded data recognized by application of aregular expression for the encoded data to a currently consideredvariable substring is added to a list of data types for the currentlyconsidered variable substring and the symbols that the encode the dataare removed from the currently considered variable substring. Followingcompletion of the nested loops, the routine “final expression II” iscalled, in step 3330.

FIG. 33C provides a control-flow diagram for the routine “finalexpression II,” called in step 3330 of FIG. 33B. In the nested for-loopsof steps 3340-3345, any of the data types in the lists of data typesprepared for each of the event messages of a cluster that occur in thedata list for each cluster are added to a final data-type list for eachsubstring in the list of substrings for the event messages. In otherwords, only those data types identified in the variable portions of allevent messages of the cluster are used for preparing a final regularexpression. An initial set of nested for-loops, not shown in FIG. 33C,may be used to determine which of the data types in the list of datatypes are present in a substring of each of the event messages, to allowfor the determination, in step 3342, of whether or not a currentlyconsidered data type is found at the same position in the same substringof every event message. Then, in the nested for-loops of steps3350-3354, all of the data types that were found at the same positionsin the variable portions of all of the event messages are incorporatedinto a final regular expression for the cluster and are additionallyentered as separate entries of a data-table template that is used, alongwith the final regular expression, for parsing event messages of acluster.

FIGS. 34A-B illustrate a final regular expression and data-tabletemplate prepared by the method illustrated in FIGS. 33A-C for theexample of FIGS. 31A and 32A. The initial regular expression 3402 forthe example is transformed, as indicated in FIG. 34A, into a finalexpression 3404 by adding sub-regular expressions 3406 and 3408 for theIP-address and time encoded data, bracketed by sub-regular expressions“C*),” for each of the variable portions represented in the initialregular expression 3402 by the sub-regular expression “(.*).” Note thatthe actual sub-regular expressions for IP addresses and times are notshown in FIG. 34A, but instead are symbolically represented by “(IPv4)”and “(time),” respectively. In general, the event messages of a clusterconsistently use the same data-type formatting for each variable datavalue included in the event messages of the cluster, so that only asingle sub-regular expression for each variable is needed in the finalregular expression for the cluster. The data-table template 3410consists of two rows 3412 and 3414. The first row 3412 includes anindication that the row represents an IP address, in a first column, andincludes a field 3416, in a second column, to hold the encoding of an IPaddress extracted from an event message. Similarly, the second row 3414includes an indication that the row is a time value 3417 and a field3418 to contain a time value extracted from an event message. The finalregular expression combined with the data table obtained by applying thefinal regular expression to an event message together represent the sameinformation as represented by the data structures shown in, anddiscussed with reference to, FIG. 25. Thus, a final regular expressionprepared by the above-discussed methods and data-table template,together, can be used as the parsing function for a cluster.

As discussed in preceding subsections, the parsing function for acluster may be generated by downstream analytic subsystems and furnishedby these downstream subsystems to a clustering subsystem. Similarly,these downstream analytic subsystems may provide indications to theclustering subsystem for when to apply split and merge operations toclusters. FIGS. 35A-E provide control-flow diagrams to illustrate asimple implementation of an event-message processing system in which aportion of the logic previously described as being included indownstream analytic subsystems may be incorporated within the frameworkof the previously described clustering subsystem.

FIG. 35A illustrates small modifications made to previously discussedFIG. 27C in order to allow for detecting failed parsing of eventmessages. Previously, in step 2742, the parsing function ƒ_(best) wasapplied by the routine “cluster” to the event message and assumed tosucceed. In the modified function “cluster,” shown in FIG. 35A, thatassumption is no longer made. In step 3502, the modified function“cluster” determines whether or not application of the parsing functionsucceeded. As discussed above, a parsing function succeeds when theregular function on which it is based is matched to an entire eventmessage or a portion of an event message. When application of theparsing function succeeds, then, in step 3504, the modified function“cluster” generates an event record and stores the event record in thecluster best. Otherwise, in step 3506, the failure of the parsingfunction is recorded and the event message is saved for subsequentprocessing.

FIG. 35B illustrates modifications to previously discussed FIG. 27A toallow for a maintenance routine to be periodically called in order tocarry out various types of maintenance on the current set of clustersfor event messages. Step 2702 is modified to include setting of amaintenance timer. Step 3510 is added to detect amaintenance-timer-expiration event. When that event is detected, thefunction “maintenance” is called in step 3512.

FIG. 35C provides a control-flow diagram for the routine “maintenance,”called in step 3512 of FIG. 35B. In a for-loop of steps 3520-3526, eachcurrent cluster is considered. When the number of parsing failuresrecorded for the cluster exceeds a threshold value, as determined instep 3521, the routine “maintenance” call the previously discussedfunction “generate RE” to determine a new parsing function for thefailed messages, in step 3522, generates a split event for the clusterin step 3523, transfers the saved event messages to the new cluster instep 3524, and generates an incoming rule/identifier event, in step3525, to supply the regular expression obtained in step 3522 as aparsing function for the new cluster. The transfer of the saved eventmessages, in step 3524, may need to be asynchronous so that the transferis completed once the cluster subsystem has created the new cluster. Theparsing-failure record is erased, as well, in step 3524, for theoriginal cluster. After completion of the for-loop of steps 3520-3526,the maintenance timer is reset in step 3528.

The association of parsing functions with clusters provides anadditional approach to processing incoming event messages. FIG. 35Dprovides a control-flow diagram for a modified incoming-message routinecalled “incoming message II” The new modified incoming-message routineis called in step 2707 of FIG. 27A in place of the originalincoming-message routine. In step 3530, an event message is received. Inthe for-loop of steps 3532-3537, each current cluster i is considered.When the current cluster is associated with a parsing function, asdetermined in step 3533, the parsing function is applied to the receivedevent message in step 3534. When the parse is successful, as determinedin step 3535, an event record is generated from the parsing function anddata table obtained by applying the parsing function to the eventmessage and the event record is stored in the currently consideredcluster, in step 3536. When no parsing function of any current clustercan successfully be applied, the event message is passed on to theoriginal function “incoming message” in step 3538 for processing by theoriginal clustering method.

FIG. 35E provides a control-flow diagram for a second version of themaintenance routine. The second version is called “maintenance II.” Inthe for-loop of steps 3540-3544, any cluster that is not currentlyassociated with a parsing function is processed to generate a parsingfunction for the cluster. Thus, the routine “maintenance II” detectsrelatively recently created clusters and generates parsing functions forthem. Of course, the function “maintenance II” may defer generating aparsing function until there are a sufficient number of event messagesassociated with a cluster to provide an acceptable probability ofgenerating an appropriate parsing function for the cluster. In step3546, the routine “maintenance II” calls the original maintenanceroutine, discussed above with reference to FIG. 35C, to split clustersthat have more than a threshold amount of parsing failures. Finally, instep 3548, the routine “maintenance II” calls an additional function todetect unbalanced clustering and/or multiple clusters that are mutuallyparseable by their respective parsing functions. These may beindications of clusters that should be merged into a single cluster.When analysis by this routine indicates that the two clusters should bemerged, the routine generates a merge event for subsequent handling bythe previously discussed merge function.

FIGS. 36A-B illustrate the information provided by the clusteringsubsystem about event messages that can be used to assign significancevalues to event messages which, in turn, can be employed for varioustypes of event-message prioritization. As shown in FIG. 36A, and asdiscussed, in detail, in the preceding subsection, the clusteringsubsystem organizes event messages into clusters, illustrated in FIG.36A by dashed circles 3602-3607. Within these clusters, the varioustypes of event messages within the cluster are represented by smalldisks, such as disk 3610 within cluster 3602. Each event-message type isassociated with a feature vector as are the clusters. In general, theevent-message types are not evenly or uniformly distributed within ahyper-dimensional sphere about the cluster position represented by thefeature vector associated with the cluster. Thus, in FIG. 36A, the eventtypes are shown as non-uniformly distributed within the disks of theclusters. Of course, the feature vector space is a generallyhigh-dimensional space rather than a two-dimensional disk, but thenon-uniform distribution of positions corresponding to feature vectorsassociated with event-message types is analogously non-uniformlypopulated with positions corresponding to event-message feature vectors.The clustering subsystem additionally provides data-table templates3612-3617 for each cluster for storing the values of encoded dataextracted from event messages via the parsing function associated with acluster. The data-table templates include indications of the data typesof the encoded data.

In addition to the clustering-subsystem-provided information shown inFIG. 36A, the event records generated from event messages are stored inevent logs. The event log 3630 can be considered to be a very long tableor file that contains a series of time-ordered event records. In FIG.36A, each event record is represented by a row in the event log 3630,such as the event record corresponding to the first row 3632 of theevent log. The event records may, as shown in FIG. 36B, include acluster-ID field 3634, a time field 3636, a date field 3638, and a fieldthat contains the event record prepared from a corresponding eventmessage by the clustering subsystem 3640.

Another type of information may be used for event-messageprioritization. As shown in FIG. 36B, the distributed computing systemmay independently keep track of the time of various critical systemevents that occur. It may be possible to determine the position of thesecritical events within the timeline represented by the event log. Asshown in FIG. 36B, for example, a critical event occurred at a time 3642that falls between the times associated with event record 3644 and eventrecord 3646. Because the event records are time ordered in the eventlog, a temporal neighborhood 3648 may be defined to extend, in time,above, below, or both above and below the time point 3642 of thecritical event. In certain cases, the critical events may, in fact,themselves be identified event-log entries. In other cases, the criticalevents may be identified, manually, by system administrators, or byother types of data stored by the distributed computing system.

FIG. 37 illustrates computation of the significance of an event message.First, as shown in equation 3702, an event message has a type that canbe considered to be computable as a function of the cluster ID of thecluster to which the event message is assigned by the clusteringsubsystem, the feature vector computed for the event message by theclustering subsystem, and the data values for any of the variablesextracted by the clustering subsystem from the event message using theparsing function and associated data-table template. Alternatively, thetype of event message may be considered to be a multi-dimensional vector3704 with elements including the cluster ID, feature vector, andvariable values, or a multi-dimensional sub-vector of themulti-dimensional vector 3704.

The next equation 3706 in FIG. 37 illustrates a generalized computationof a significance for an event message. The significance can beconsidered to be a function of the significance assigned to singleelements of vector 3704, as represented by arguments 3708, as well asthe significance assigned to all possible combinations of the elements,as represented in FIG. 37 by arguments 3710. For example, there may be asignificance associated with the cluster to which an event message isassigned, a significance associated with the feature vectorcorresponding to the event message, a significance associated with eachof the variable values, when considered independently, and significancesassociated with various combinations of these elements, such as asignificance associated to a cluster-ID, feature-vector pair. Inpractice, it is unlikely that the significance associated with eachpossible combination of elements of vector 3704 are computed. Instead,the significance of an event message is practically estimated from somesparse set of significances computed for elements and/or combinations ofelements in the event-message-type defining vector 3704.

FIGS. 38A-E illustrate various distance-based and density-based methodsfor estimating the significance of an event message based on the featurevector computed for the event message. As shown in FIG. 38A, thepositions represented by the feature vectors computed by the clusteringsubsystem for event-message types occupy a volume in n dimensions, wheren is the number of elements in each feature vector, populated by pointscorresponding to feature vectors 3802. For example, the point orposition 3804 for event message i is defined by the feature vector 3806computed for event message i. As discussed in preceding subsections,depending on the method used to generate feature vectors, thefeature-vector space may or may not be Euclidean and distances betweenpoints in the feature-vector space may or may not be computed by thewell-known Euclidean distance metric. However, regardless of how thefeature vectors are computed, the feature-vector space is generallyassociated with a well-defined distance metric that allows distancesbetween points represented by feature vectors to be computed. Thesecomputable distances form the basis for a variety of differentsignificance computations, four of which are illustrated in FIGS. 38B-E.As shown in FIG. 38B, one estimate of the significance of a featurevector v_(e) computed for event message e is the distance 3808 betweenthe position represented by the feature vector v_(e) 3810 and theposition 3812 represented by the feature vector v_(c) associated withthe cluster to which event message e is assigned. Another potentialestimate of significance, as shown in FIG. 38C, is the ratio of theaverage density of positions corresponding to feature vectors within theentire feature-vector space (3802 in FIG. 38A) to the local density offeature-vector positions in the neighborhood of the position 3814corresponding to feature vector v_(e) computed for event message e. Asshown in FIG. 38D, yet another estimate of the significance of thefeature vector v_(e) corresponding to event message e may be based onthe distance d_(k) 3816 between the position represented by featurevector v_(e) 3818 computed for event message e and the positionrepresented by feature vector v_(k) 3820 computed for the k^(th) nearestneighbor to the position represented by feature vector v_(e) 3818.Finally, as shown in FIG. 38E, another estimate of the significance offeature vector v_(e) for event message e is the distance d 3822 betweenthe positions represented by v_(e) 3824 and the centroid of the featurevectors of event-message types associated with the cluster [v_(c)] 3826.There are many additional distance-related metrics that may be used toestimate the significance of a feature vector.

FIG. 39 illustrates another approach to estimating significance of anevent message e_(i). Given some type of similarity metric for pairs ofevent messages, such as various types of distance metrics computed fromfeature-vector positions of the event messages of a pair, a totalpair-wise similarity for the event messages of a cluster can be computedboth for a cluster containing all of the event messages as well as acluster from which one of the event messages is removed. In FIG. 39, thepair-wise similarity for the complete cluster 3902 is computed as anaverage distance between the positions of pairs of event-message typeswithin the cluster 3904. A similar computation is carried out for thecluster from which one of the event-message types has been removed 3906.When the removed event-message type is the type of event message e_(i),then a significance value for the event-message type e_(i) can becomputed 3908 as the pair-wise similarity computed for the clusterwithout event-message-type e_(i) 3910 minus the pair-wise similaritymetric computed for the full cluster 3912. When the similarity computedfor the full cluster is less than the similarity computed for thecluster without event-message type e_(i), then event e_(i) has apositive significance. The magnitude of the significance is proportionalto the difference between cumulative pair-wise similarity metrics 3910and 3912.

FIG. 40 illustrates a variety of other types of significance factorsthat can be computed based on analysis of event logs. In FIG. 40, a plot4002 is shown for the number of event messages of a particular typee_(x) that occur within small intervals of time along a temporal axis4004. For example, during time interval 4006, a single occurrence ofevent message e_(x) 4008 is observed in the event log. In the exampleshown in FIG. 40, there are 53 time increments along the temporal axis4004 and a total of 53 observed occurrences of the event message e_(x).Thus, the average rate of occurrence of event messages of type e_(x) pertime interval is 1, with the average symbolically represented by a 4010.The temporal axis 4004 represents a time window within the event logduring which various types of significance factors are computed. Thistime window may, for example, include the most recently logged eventmessages. Various different characteristics computable from plot 4002are illustrated in FIG. 40. These include: (1) the highest peak h 4012;(2) the largest number of e_(x) messages within i successive timeintervals, m_(i) 4014, examples of which include m₁, m₂, and m₃4016-4018, the highest peak in an i-interval neighborhood about acritical point c, h_(c,i) 4020; and (3) the largest number of messagesof type e_(x) in i successive intervals within a j-interval neighborhoodabout a critical point c, m_(c,i,j) 4022. As mentioned above, eitherone-sided or symmetrical or asymmetrical two-sided neighborhoods about acritical-event time can be used. Then, from these characteristics, anumber of different types of significance factors 4024 can be computed,such as:

$\frac{h}{a},a,\frac{m\; 1}{a},\frac{m\; 2}{a},\frac{\Sigma_{i}m\; 1}{i \cdot a},\frac{\Sigma_{c,x}h_{c,x}}{\Sigma_{c,x}a},{{and}\mspace{14mu} {\frac{\Sigma_{c}m_{c,3,{ID}}}{\Sigma_{c}a}.}}$

The various types of significance metrics illustrated in FIGS. 38B-E,39, and 40 can be used to compute one or more significance metrics forindividual elements and various possible combinations of the elements ofthe event-message-type specifying vector. For example, event-log-basedmetrics may be computed for messages of types specified by varioussub-vectors of vector 3704. The computed significance values forindividual elements and various possible combinations of the elements ofthe event-message-type specifying can then be combined as a weighted sumto provide an estimate of the significance of an event-message type edefined by values of some number of elements x₁, x₂, x₃, . . . x_(n) ofthe event-message-type-defining vector 3704, as shown in the followingequation, in which α_(i) are weighting factors:

$\begin{matrix}{{{significance}\mspace{14mu} {e\left\lbrack {x_{1},x_{2},x_{3},\ldots \mspace{11mu},x_{n}} \right\rbrack}} = {{\alpha_{1}{{sig}\left( x_{1} \right)}} + {\alpha_{2}{{sig}\left( x_{2} \right)}} +}} \\{{{\alpha_{3}{{sig}\left( x_{3} \right)}} + \ldots \; +}} \\{{{\alpha_{12}{{sig}\left( {x_{1},x_{2}} \right)}} + {\alpha_{13}{{sig}\left( {x_{1},x_{3}} \right)}} + \ldots \; +}} \\{{{\alpha_{123}{{sig}\left( {x_{1},x_{2},x_{3}} \right)}} +}} \\{{{\alpha_{124}{{sig}\left( {x_{1},x_{2},x_{4}} \right)}} + \ldots \; +}} \\{{\alpha_{123}\mspace{11mu} {\ldots \mspace{14mu}}_{n}{{{sig}\left( {x_{1},x_{2},x_{3},\ldots \mspace{11mu},x_{n}} \right)}.}}}\end{matrix}$

Many of the weighting factors α_(i) may be 0, so that event-message-typesignificances can be estimated in a computationally efficient fashionfrom a subset of all possible significance terms.

FIGS. 41A-D illustrate, using control-flow diagrams, prioritization ofevent messages based on the above-discussed significance metrics. Instep 4102, the routine “cluster” has been modified to include setting ofan analysis timer. When the routine “cluster” detects expiration of theanalysis timer, in step 4110, the routine analysis is called in step4112. This modification provides for periodic analysis of event logs inorder to compute significances of various elements used to identifyevent-message types, as discussed above.

FIG. 41B illustrates a modification to the “cluster” routine. In themodification shown in FIG. 41B, a call to a routine “significance” ismade, in step 4120, following preparation of an event record for anincoming event message.

FIG. 41C provides a control-flow diagram for the routine “analysis,”called in step 4112 of FIG. 41A. The routine “analysis” computes varioussignificance metrics for various combinations of the elements of theevent-message-type defining vector used to compute the significance ofan event message, as discussed above with reference to the equationrepresenting the weighted sum of computed significances. The outerfor-loop of steps 4130-4137 considers each of the most recent n loggedevent records. An intermediate for-loop of steps 4131-4136 considerseach of the various computed entities, or elements, to which significantvalues are associated, including single elements and combinations ofelements of the event-message-type-defining vector. An innermostfor-loop of steps 4132-4135 considers each different metric that may becomputed for a particular single element or combination of elements.Once all the significances are computed, in nested for-loops 4133-4137,the analysis timer is reset in step 4140. It should be noted that theweighting factors α_(i) in the above-discussed equation for computingthe significance of an event-message type are generally constantparameters supplied manually but, in more sophisticated, adaptivesystems, may themselves be periodically recomputed based on anoptimization-type analysis constrained to offer a best possibleprediction of significant events with respect to some objectivecriteria.

FIG. 41D provides a control-flow diagram for the routine “significance,”called in step 4120 of FIG. 41B. In step 4150, the routine“significance” computes the significance for an incoming event messagefor which an event record has been prepared. This computation may usespecific values for the cluster ID, feature vector, variables extractedfrom the event message, and other such elements to look up computedsignificances for those elements previously computed by the routine“analysis.” These stored significance values are then multiplied bycorresponding weight factors and combined together to compute thesignificance for the event message. When the computed significance isgreater than a first threshold value, as determined in step 4152, thenthe routine “significance” marks the event record as being significantin step 4154. In certain implementations, the actual significance valuemay be included in the event record. In other implementations, a fieldwithin the event record may be set to indicate that the event recordcorresponds to a significant event. In yet additional implementations,the event record may have a field that can be set to a number ofdiscrete values corresponding to increasing significance. When thecomputing significance is greater than a second threshold as determinedin step 4156, the routine “significance” copies the event record to ahigh-significance event log, in step 4158. The high-significance eventlog may be much smaller than the event log that contains all eventmessages, and therefore may be easier to monitor and more efficient tostore for long periods of time. When the computed significance for theevent message is greater than a third threshold, as determined in step4160, the routine “significance” generates an alarm or notice, in step4162, which may be transmitted to an automated system-administrationsubsystem or to a human system administrator. Thus, reception of certaintypes of event messages may automatically generate alarms, notices, andother notifications within the distributed computing system.

Automated Displayed Event-Message Annotation Methods and Subsystems towhich the Current Document and Claims are Directed

FIGS. 42A-B illustrate certain advantages provided by event clustering,discussed in previous subsections, related to display of event-log andlog-file entries, which can be clustered into event-type categories bythe above-discussed clustering methods. FIG. 42A shows anevent-log-display-application user interface in which information aboutnumerous logged events is displayed. The display window 4202 issufficiently large to display textural representations of only 15events. The actual number of events, in this example, is over 70,000, asa result of which a user would need to scroll through many pages ofdisplayed events and carry out extensive mental analysis in order toattempt to draw conclusions as to underlying states of, and problemsassociated with, the computer system in which the events are generated.When the above-described methods are used to cluster events into eventtypes, and when a customer elects to display information about the eventtypes in the log file, rather than discrete events, a much moreaccessible display of information is provided, as shown in FIG. 42B. Inthis case, the display window 4204 displays information related to thoseevent types to which the discrete events, displayed in FIG. 42A, belong.In the example from which FIGS. 42A-B were generated, two-thirds of theover 70,000 discrete events belong to just 19 event types. In this case,when the event types are displayed in descending order based on thenumber of events in the event log belonging to the event types, a usercan quickly ascertain the predominant event types recorded in the eventlog and, from the identities and order of the event types, can oftenimmediately begin to propose hypotheses as to the state of, and problemsassociated with, the computer system in which the events were generated.

While it is clear that event typing, alone, provides enormous advantagesin the display of event-log entries, as discussed above with referenceto FIGS. 42A-B, display of event types, alone, is not a completesolution to the problems faced by developers, systems administrators,and other professionals who need to analyze the contents of event logsand/or monitor textural representations of events in real time in orderto ascertain the state and various operational characteristics of acomputer system as well as to identify and diagnose particular problems.For example, presented with the displayed representations of the eventtypes to which the most frequently occurring events belong, as in thedisplayed event types within the display screen shown in FIG. 42B, auser may still need to access specific events in order to develop a setof search terms that the user can then input to various types of searchengines in order to find additional information about certain specifictypes of events and/or error messages, various groups of events and/orerror messages, and types of events. This information may include blogpages, FAQ pages from various forums, web-page articles, knowledge-basedarticles, links to various different types of documents, identifiers foron-line documents available from various archives and libraries,articles or specifications for various types of system components,including hardware and software components, and even postal addresses,email addresses, or telephone numbers for particular developers ordiagnostic experts who may be able to assist an analysis or diagnosisrelated to particular events, groups of events, or types of events.Currently, developing search criteria and carrying out searches is atime-consuming, tedious, and often imprecise approach to gatheringadditional information about various types of system states, operationalcharacteristics of a system, particular problems, and specific componentvalues.

FIGS. 43A-D illustrate the basis for an automated approach toefficiently obtaining additional information about event types,displayed to a user by an event-log-analysis system, such as in thedisplay screen shown in FIG. 42B. As shown in FIG. 43A, a particularcluster or event type 4302 represents a collection of specific events4304, such as specific entries found in event-log files or reportedthrough various types of event-reporting subsystems and displays. Theevent type, or cluster 4302, may represent anything from a handful ofspecific events to thousands or more different events, as discussed inprevious subsections. Any given specific event may be associated withmany different types of additional information. As shown in FIG. 43B, aspecific event 4306 may represent a number of different log messages4308, such as a particular parameterized log message in whichparameterized entities, such as dates or system names may vary. Thespecific parameterized event 4306 may be well known and described in avariety of different types of information sources. These may includedocuments, such as articles, blog pages, messages accumulated in a FAQ,web pages, documents obtained through online document-retrieval systems,and many other types of documents 4310 obtained from many differenttypes of remote systems, archives, data centers, libraries, and otherinformation sources 4312 and 4314. In addition, the specificparameterized event 4306 may be known to various individuals, such asdevelopers, system administrators, diagnostic experts, componentvendors, and other such individuals that can be reached on theirpersonal computer systems via email 4316 and/or by other types ofelectronic communications, including text messages and phone calls. Thespecific parameterized event 4306 may be associated with various typesof information in specific libraries, archives, or knowledge bases 4318,the various types of information retrievable by easily encoded addressesor search criteria. Finally, the parameterized event 4306 may bediscussed in product specifications or online information associatedwith particular types of system components, including processors 4320,data-storage devices 4322, and many other types of components, bothhardware and software. These are but a few of the many different typesof additional information that may be associated with a particularspecific parameterized event.

As shown in FIG. 43C, because each specific event associated with anevent cluster, or event type, may be associated with numerous differenttypes of additional information, the collection of events 4304associated with a particular event cluster or event type 4302 may bedescribed by a great many different documents 4330, developers and otherexperts 4332 and 4333, and a huge number of additional informationentities too copious to show in a simple illustration.

Because of the enormous amount of information that may be potentiallyavailable for any given event cluster or event type, only a systematic,automated approach to collecting and associating additional informationavailable from many different information sources for each event type orevent cluster can provide the accurate, efficient, and rapid display ofadditional information related to event types to users through anevent-type-occurrence display interface, such as that discussed abovewith reference to FIG. 42B. Therefore, in the disclosed implementations,as shown in FIG. 43D, each event type or event cluster 4302 isassociated, via automated methods and subsystems, with a set ofdescriptors 4340 for the additional information available for the givenevent cluster or event type 4302. The set of descriptors is stored inone or more physical data-storage devices, including electronic,electromechanical, and electro-optico-mechanical data-storage devices,including magnetic-disk-based physical data-storage devices, electronicmemories, optically accessed disks, and other such physical data-storagedevices. Of course, those familiar with modern science and technologywell recognize that electromagnetic radiation does not and cannot storedata for subsequent retrieval and does not constitute, by any stretch ofthe imagination, a physical data-storage device. The set of descriptors4340 may be stored in flat files, in relational-database tables, andother types of databases, or as multi-field records in a variety ofdifferent types of databases and record-storing utilities. As shown inFIG. 43D, each descriptor, such as descriptor 4342, in the set ofdescriptors includes a type field 4344 that indicates the type of theencoded address for the information source 4346 in a second field aswell as a third description field 4348 that contains a short texturaldescription of the additional information.

FIG. 44 illustrates a simple relational-database schema used in oneimplementation of the disclosed methods and systems to store theadditional information that has been accumulated for event clusters orevent types. This schema consists of five relational-database tables4402-4406. Each row of the Information_Type table 4402 represents aparticular type of additional information. Each row contains values fortwo different columns 4408-4409 that correspond to a numeric ID for theinformation-source type and a textural description of the type,respectively. For example, the third row 4410 represents the type“article” which is assigned the identifier “3.” Each row of theSource_Type table 4403 represents a type of information-source addressor descriptor. Each row contains values for two different columns4412-4413 that represent a numerical identifier for theinformation-source address or descriptor and textural description of theinformation-source address or descriptor, respectively. For example, thefirst row 4414 in the Source_Type table 4413 represents a uniformresource locator (“URL”) that is assigned a numeric identifier “1.” Eachadditional-information entity for each event type is contained in theAssociated_Information table 4404. Each row of theAssociated_Information table represents a particularadditional-information entity that is associated with a particular eventcluster or event type. The Associated_Information table 4404 includesthe five columns 4420-4424 shown in FIG. 44 and may contain additionalcolumns, as represented by broken column 4426. The five columns include:(1) A_ID 4420, an identifier for the additional-information entity; (2)T_ID 4421, the ID for the information type of the additional-informationentity; (3) S_ID 4422, the source type for the additional-informationentity; (4) Source 4423, an address or descriptor appropriatelyconstructed and formatted for the information source from which theadditional information entity can be obtained using the address ordescriptor; and (5) Description 4424, a textural description for theadditional-information entity. Each row of the Events table 4406represents a different event cluster or event type. Each event type ischaracterized by a numeric event identifier, represented by column 4430,and a textural description of the event type, represented by column4432. Broken column 4434 indicates that other columns may be present inan events table. Finally, the table Associations 4405 representsassociations between associated-information entities, represented byrows in the Associated_Information table 4404, and event types,represented by rows in the Events table 4434. In addition, each eventtype associated with an additional-information entity is alsorepresented by a numeric rank value, indicating the rank of theassociated-information entity with respect to all associated-informationentities associated with the particular event type. Thus, theAssociations table 4405 includes three columns representing event-typeidentifiers 4436, a second column representingassociated-information-entity identifiers 4438, and a third columnrepresenting numerical ranks 4440.

FIG. 45 provides a structured query language (“SQL”) routine thatgathers additional-information entities related to a particular eventtype from the relational-database table shown in FIG. 44 and insertsthem into a Results table for use by a display routine for displayingadditional information related to event types, as discussed below. TheSQL procedure is named “GetAnnotations” and takes a single argumentetype that is a variable-character-string representation of an eventtype 4504. First, the procedure “GetAnnotations” creates the Resultstable 4506. This table is then populated by rows from an implied tablecreated by a select clause that represents a join between the fivetables shown in FIG. 44 4508. This routine assumes that the results aresubsequently used by an events-display routine and then dropped prior toa next call to the procedure “GetAnnotations.”

FIGS. 46A-D illustrate one implementation of an event-type displayinterface, such as that discussed above with reference to FIG. 42B, thatfurther includes mechanisms for the display of additional informationassociated with any particular event type, using additional informationstored within a physical data-storage device, such as aphysical-data-storage device storing the above-discussed relationaltables. In FIG. 46A, the event-type display screen 4602, previouslyprovided in FIG. 42B, is shown with a mouse-controlled cursor 4604positioned to point to, or select, the displayed event type 4606.Positioning of the cursor to point to displayed event type 4606automatically elicits display of an additional-information window 4608that displays a textural representation for the highest-rankedadditional information associated with the event type 4606. Thedisplayed information includes a hyperlink 4610, to which a user mayinput a mouse click to display the blog page entitled “What To Do WithError 6107.” In addition, the additional-information window 4608includes a “more info” feature 4612, to which the user may input a mouseclick to display more or all of the additional information associatedwith the event type.

FIG. 46B illustrates movement of the cursor by the user, via the user'smouse, to point to the hyperlink 4610 in order to display the blog pageentitled “What to do with Error 6107.” When the user inputs a mouseclick to the hyperlink, the blog page is displayed over, to the side of,above, or below the event-type display screen 4602 to allow the user toread the blog page to obtain additional information about event type4606. FIG. 46C illustrates movement of the cursor 4604, by manipulationof the user's mouse, to point to the “more info” input feature 4612.When the user inputs a mouse click to the “more info” input feature4612, indications of the additional-information entities related toevent type 4606 are displayed in a separate scrollable window, as shownin FIG. 46D. The scrollable window includes a scroll feature 4620 that auser can manipulate with the user's mouse to scroll throughrepresentations of the various additional-information entitiesassociated with event type 4606. Input of a mouse click to a particularadditional-information entity results in display of theadditional-information entity over, to the side of, above, or below theevent-type display window 4602. Thus, while viewing event typesdisplayed by an event-log-analysis-and-rendering application, the usermay quickly identify and display additional info nation associated withthe event in order to formulate hypotheses and carry out analyses basedon the displayed event types without having to methodically and slowlyaccumulate information to pose queries to one or more search engines. Ascan be appreciated by developers, system administrators and other whohave had to analyze events stored in event logs and displayed throughevent-log-analysis applications, the ability to identify and displayadditional information related to displayed log events via mousemanipulation and input of mouse clocks to hyperlinks and displayed textscan greatly facilitate use of displayed event-log entries for any of themany different purposes for which event-log files are used.

FIGS. 47A-C provide control-flow diagrams that illustrate how display ofadditional information related to event types or event clusters isincorporated into a subsystem that displays event-log entries and/orevent types, examples of which include the display screens shown inFIGS. 42A-B. One implementation that enhances such displays with displayof additional information related to event types or event clustersharvested from a variety of different information sources is discussedabove with reference to FIGS. 46A-D. FIG. 47A provides a control-flowdiagram for the event loop that underlies a subsystem that displaysevent-log entries and event types or clusters. This event loop isimplemented as the routine “display logs.” In step 4702, the routine“display logs” waits for a next event to occur. When a next eventoccurs, the type of event is determined by a series of conditionalsteps, such as step 4704, so that an appropriate handler for the eventcan then be called, such as invocation of the handler “launch display”4706 when the next-occurring event is a launch event. Incorporation ofthe display of additional information related to event types or eventclusters is obtained, in a described implementation, by the threeconditionals 4708-4710 that, when returning a true value, result incalling the three handlers 4712-4714. Following handling of thenext-occurring event, when there are more events queued for handling, asdetermined in step 4716, a next event is dequeued, in step 4718, priorto returning to step 4704. Otherwise, control returns to step 4702,where the routine “display logs” waits for a next event to occur.

When the next-occurring event is a mouse-over displayed-event-typeevent, as determined in step 4708, which, for example, occurs in thesituation shown in FIG. 46A when the cursor 4604 is moved over thedisplay event type 4606, the handler “display additional info” is calledin step 4713 to display the additional-information window (4608 in FIG.46A). When the next-occurring event is a mouse-overadditional-information-link event, as determined in step 4709, as arisesin the situation shown in FIG. 46B, when the cursor 4604 is moved topoint to hyperlink 4610, the handler “display additional info” is calledin step 4713. When the next-occurring event is a mouse-over the “moveinfo” feature event, as determined in step 4710, as occurs in thesituation shown in FIG. 46C, where the cursor 4604 has been moved topoint to the “more info” feature 4612, the handler “show more additionalinfo” is called in step 4714. Other similar event-recognizingconditionals and corresponding handlers may be included to handle, forexample, scrolling of the window, discussed above with reference to FIG.46D, that displays indications of the additional-information entitiesassociated with an event type or event cluster, events that arise frominputting, by a user, inputs to a displayed representation of anadditional-information entity displayed in the window shown in FIG. 46D,and for other such additional-information-display-related events.

FIG. 47B illustrates the handler “show additional info” called in step4712 of FIG. 47A. In step 4720, the handler receives an indication ofthe event type over which the cursor has been moved. This information isprovided by the log-entry display application, which tracks the eventtypes currently displayed in a display screen or other user interface inwhich event types are displayed to users. In step 4722, the handlerdetermines whether there is a current results table available for theevent type. For example, when the user moves the cursor away from aparticular event type and then moves the cursor back over the same eventtype, the results table populated by the previous mouse-over event mayremain available for use in handling the current mouse-over event. Whenthere is not a current results table for the current event type, asdetermined in step 4722, then, in step 4724, a call is made to thepreviously discussed procedure “GetAnnotations” to create and populatethe results table with additional-information entities related to theevent type of the displayed representation of the event type over whichthe mouse has been moved. In certain implementations, the currentresults table is dropped prior to calling the procure “GetAnnotations.”In step 4726, one or more rows from a results table are selected fordisplay in the additional-information window (4608 in FIG. 46A) invokedby the mouse-over event. When the rows in the results table are orderedby rank, an initial n rows of the results table contain thehighest-ranked additional-information entities and these n rows may beselected for display in the additional-information window. The number nmay be a fixed number or may be determined based on the screen areaavailable for the additional-information window, the currentdisplay-screen resolution, and other factors. In alternativeimplementations, the handler may choose to display the highest rankadditional-information entity for each of a number of different types ofadditional-information entities, such as the highest-ranked blog page,highest-ranked expert diagnostician, and highest-ranked authoritativearticle. In the for-loop of steps 4728-4730, each of the selected rowsare converted into displayable text for display within theadditional-information window. Finally, in step 4732, theadditional-information window is displayed to the user with thedisplayable texts generated in the for-loop of steps 4728-4730 displayedwithin the additional-information window.

FIG. 47C provides a control-flow diagram for the handler “displayadditional info,” called in step 4713 of FIG. 47A. In step 4740, thehandler receives an indication of the hyperlink over which the cursorhas been moved by a user. In step 4742, the handler uses this indicationto identify the type and location of information represented by thehyperlink, using information contained in the corresponding row of theresults table, and, in step 4744, accesses the information from theinformation source that provides the information. Finally, in step 4746,the handler displays the information, prepared for display in step 4744,to the user. For example, when the additional-information entitycorresponding to the hyperlink is a document, the handler may display athird-party display window appropriate for the document type, such as aportable document format (“PDF”) display window when the document is aPDF file.

FIG. 48 provides a control-flow diagram that illustrates preparation ofa database of additional-information entities, such as the databasestored in the relational tables discussed above with reference to FIG.44. The routine “database,” a control-flow diagram for which is providedin FIG. 48, may be called at regular intervals within a computer systemin order to create and maintain a database of additional-informationentities to provide for display of additional-information entitiesassociated with an event type or event clusters during display of eventtypes that summarize contents of event-log files or displays of otherinformation that include representations of events types or eventclusters. In step 4802, the routine receives indications of descriptorsfor the current event types for which additional information is to becollected as well as for an existing additional-information database.When the additional-information database has already been created andcurrently exists, as determined in step 4804, information entitiesaccumulated in the database for event types which are no longer validare purged, in step 4806. Otherwise, the database is created along withthe tables discussed above with reference to FIG. 44, in oneimplementation, in step 4808. In step 4810, web crawlers may be launchedand other types of information-gathering programs or routines may beadditionally launched to search for and collect additional informationabout the current event types described in the event-type descriptorsreceived in step 4802. In the for-loop of steps 4812-4816, for eachadditional-information entity found in step 4810, table updates areprepared, in step 4813 and, when the additional-information entity hasnot already been entered into the database, as determined in step 4814,the database is updated to include the additional-information entity instep 4815.

Although the present invention has been described in terms of particularembodiments, it is not intended that the invention be limited to theseembodiments. Modification within the spirit of the invention will beapparent to those skilled in the art. For example, any of many differentimplementation and design parameters, including hardware platforms,programming languages, virtualization layers, operating systems, modularorganization, control structures, data structures, and other such designand implementation parameters may be varied in order to produce numerousalternative implementations of the currently disclosed methods andsystems. Many different types of techniques may be used for displayingadditional-information entities related to event types and eventclusters. Additional-information-display windows may have differentsizes, resolutions, display formats, and may vary in many other ways.The additional-information entities may be rendered for display in avariety of different ways, each of which includes different descriptiveinformation. The choice of a subset of the additional-informationentities available for a particular event type or event cluster may bemade in a variety of different ways, including using ranks associatedwith addition-information entities to choose the highest-rankedadditional-information entities to initially display in anadditional-information-display window. Ranking may be based on userfeedback, on ranks provided by developers and experts, and based onother techniques, including automated, semi-automated, and manualtechniques. There are many approaches to accumulating and storingadditional-information entities for display to users, and many differenttypes of information-display events that may trigger display ofadditional-information entities with respect to event types and eventclusters. The above-discussed implementation represents only one of manydifferent possible approaches to the display of additional-informationentities associated with event types and event clusters.

It is appreciated that the previous description of the disclosedembodiments is provided to enable any person skilled in the art to makeor use the present disclosure. Various modifications to theseembodiments will be readily apparent to those skilled in the art, andthe generic principles defined herein may be applied to otherembodiments without departing from the spirit or scope of thedisclosure. Thus, the present disclosure is not intended to be limitedto the embodiments shown herein but is to be accorded the widest scopeconsistent with the principles and novel features disclosed herein.

1. A system that displays accumulated events, the system comprising: oneor more processors; one or more memories; one or more data-storagedevices; a display device; and computer instructions, stored in one ormore of the one or more memories that, when executed by one or more ofthe one or more processors, control the accumulated-event display systemto accumulate events in one or more of the one or more memories and oneor more data-storage devices; determine a set of event types, eachaccumulated event belonging to one of the event types; display, on thedisplay screen, active representations of event types to which theaccumulated events belong; and in response to an input directed to aparticular displayed active representation of an event type, accessingstored descriptions of information entities associated with event typesto select one or more of the stored descriptions of information entitiesassociated with the event type represented by the particular displayedrepresentation, and displaying, on the display screen, an activerepresentation of each of the one or more selected descriptions ofinformation entities, an input to each of which invokes display of acorresponding information entity.
 2. The system of claim 1 wherein, in afirst display mode, the system displays representations of events on thedisplay screen; and wherein, in a second display more, the systemdisplays, on the display screen, active representations of event typesto which the accumulated events belong.
 3. The system of claim 1 whereindescriptions of information entities associated with event types arestored in an associated-information database that, for each informationentity associated with an event type, stores: an indication of aninformation source for the information entity; an indication of the typeof information source; and an indication of the type of informationentity.
 4. The system of claim 2 wherein types of information sourcesinclude: a remote server that is accessed through a uniform resourcelocator; a person or system accessed through an email address; a personor system accessed through a phone number; a person accessed through amail address; a person or system accessed through a social network; aperson or system accessed through a web browser; component or systeminformation that is accessed through a stock keeping unit input to asearch engine or on-line information interface; and an on-lineinformation service accessed through a dial-up phone number.
 5. Thesystem of claim 1 wherein types of information entities include: a blogpage; a web page; an article encoded in a text file; an article encodedin a web page; a link to an article encoded in a web page; an articleencoded in a formatted file; a human developer; a human expert; afrequently-asked-question message or message response; afrequently-asked-question message or message response encoded in a webpage; a link to a frequently-asked-question message or message responseencoded in a web page; text stored in a database; a user manual orproduct specification encoded in a web page; and a link to a user manualor product specification encoded in a web page; and a user manual orproduct specification encoded in a text file; and a user manual orproduct specification encoded in a formatted file.
 6. The system ofclaim 1 wherein the accumulated events are one of: entries in event-logfiles; and error messages generated within one or more computer systems.7. The system of claim 1 wherein display of active representations ofeach of the one or more selected descriptions of information entitiesfurther comprises: displaying an additional-information text-displaywindow above, below, to the side of, or overlapping the displayed eventtypes, the additional-information text-display window including, foreach displayed active representation of each of the one or more selecteddescriptions of information entities, a textural description of theinformation entity embedded within, or displayed adjacent to, an activeinput feature that receives an input through an input device orsubsystem.
 8. The system of claim 7 wherein the active input feature isone of: a button or other feature to which an input is directed; ahyperlink to which an input is directed; and an active area of thedisplay screen underlying the displayed active representation to whichan input is directed.
 9. The system of claim 1 wherein event types aregenerated by: receiving event messages; and processing each of thereceived event messages by normalizing the event message to identifyparameter tokens within the event message, computing, usingnon-parameter tokens within the event message, a metric to represent theevent message, using the metric to select an event-message cluster towhich to assign the event message, generating an event record using anidentifier for the selected cluster and the parameter tokens, andstoring the event record within, or associated with, the selectedcluster in a physical data-storage device.
 10. A method that displaysaccumulated events in a system having one or more processors, one ormore memories, one or more data-storage devices, and a display device,the method comprising: accumulating events in one or more of the one ormore memories and one or more data-storage devices; determining a set ofevent types, each accumulated event belonging to one of the event types;displaying, on the display screen, active representations of event typesto which the accumulated events belong; and in response to an inputdirected to a particular displayed active representation of an eventtype, accessing stored descriptions of information entities associatedwith event types to select one or more of the stored descriptions ofinformation entities associated with the event type represented by theparticular displayed representation, and displaying, on the displayscreen, an active representation of each of the one or more selecteddescriptions of information entities, an input to each of which invokesdisplay of a corresponding information entity.
 11. The method of claim10 wherein, in a first display mode, displaying representations ofevents on the display screen; and wherein, in a second display more, thesystem displays, on the display screen, active representations of eventtypes to which the accumulated events belong.
 12. The method of claim 10wherein descriptions of information entities associated with event typesare stored in an associated-information database that, for eachinformation entity associated with an event type, stores: an indicationof an information source for the information entity; an indication ofthe type of information source; and an indication of the type ofinformation entity.
 13. The method of claim 12 wherein types ofinformation sources include: a remote server that is accessed through auniform resource locator; a person or system accessed through an emailaddress; a person or system accessed through a phone number; a personaccessed through a mail address; a person or system accessed through asocial network; a person or system accessed through a web browser;component or system information that is accessed through a stock keepingunit input to a search engine or on-line information interface; and anon-line information service accessed through a dial-up phone number. 14.The system of claim 1 wherein types of information entities include: ablog page; a web page; an article encoded in a text file; an articleencoded in a web page; a link to an article encoded in a web page; anarticle encoded in a formatted file; a human developer; a human expert;a frequently-asked-question message or message response; afrequently-asked-question message or message response encoded in a webpage; a link to a frequently-asked-question message or message responseencoded in a web page; text stored in a database; a user manual orproduct specification encoded in a web page; and a link to a user manualor product specification encoded in a web page; and a user manual orproduct specification encoded in a text file; and a user manual orproduct specification encoded in a formatted file.
 15. The method ofclaim 10 wherein the accumulated events are one of: entries in event-logfiles; and error messages generated within one or more computer systems.16. The method of claim 10 wherein display of active representations ofeach of the one or more selected descriptions of information entitiesfurther comprises: displaying an additional-information text-displaywindow above, below, to the side of, or overlapping the displayed eventtypes, the additional-information text-display window including, foreach displayed active representation of each of the one or more selecteddescriptions of information entities, a textural description of theinformation entity embedded within, or displayed adjacent to, an activeinput feature that receives an input through an input device orsubsystem.
 17. The method of claim 16 wherein the active input featureis one of: a button or other feature to which an input is directed; ahyperlink to which an input is directed; and an active area of thedisplay screen underlying the displayed active representation to whichan input is directed.
 18. The method of claim 10 wherein event types aregenerated by: receiving event messages; and processing each of thereceived event messages by normalizing the event message to identifyparameter tokens within the event message, computing, usingnon-parameter tokens within the event message, a metric to represent theevent message, using the metric to select an event-message cluster towhich to assign the event message, generating an event record using anidentifier for the selected cluster and the parameter tokens, andstoring the event record within, or associated with, the selectedcluster in a physical data-storage device.
 19. Computer instructionsencoded in a physical data-storage device that, when executed by one ormore processors of a system having one or more memories, one or moredata-storage devices, and a display device, control the system to:accumulate events in one or more of the one or more memories and one ormore data-storage devices; determine a set of event types, eachaccumulated event belonging to one of the event types; display, on thedisplay screen, active representations of event types to which theaccumulated events belong; and in response to an input directed to aparticular displayed active representation of an event type, accessstored descriptions of information entities associated with event typesto select one or more of the stored descriptions of information entitiesassociated with the event type represented by the particular displayedrepresentation, and display, on the display screen, an activerepresentation of each of the one or more selected descriptions ofinformation entities, an input to each of which invokes display of acorresponding information entity.
 20. The computer instructions of claim19 wherein the accumulated events are one of: entries in event-logfiles; and error messages generated within one or more computer systems.